opendesk/docs/enhanced-configuration/self-signed-certificates.md

Self-signed certificate and custom Certificate Authority (CA)

• Use case
• Configuration
  • Option 1: Bring Your Own Certificate
  • Option 2: Use cert-manager.io

Deploying openDesk into an environment with custom public key infrastructure (PKI) that is usually not part of public certificate authority chains or deploying openDesk into a local cluster without ACME challenge.

Configuration

There are two options to address the use case.

Option 1: Bring Your Own Certificate

This option is useful, when you have your own PKI in your environment which is trusted by all clients that should access openDesk.

1. Disable cert-manager.io certificate resource creation:

   certificates:
     enabled: false
   

2. Enable mount of self-signed certificates:

   certificate:
     selfSigned: true
   

3. Create a Kubernetes secret named opendesk-certificates-tls of type kubernetes.io/tls containing either a valid wildcard certificate or a certificate with all required subdomains set as SANs (Subject Alternative Name).

4. Create a Kubernetes secret with name opendesk-certificates-ca-tls of type kubernetes.io/tls containing the custom CA certificate as X.509 encoded (ca.crt) and as jks trust store (truststore.jks).

5. Create a Kubernetes secret with name opendesk-certificates-keystore-jks with key password and as value the jks trust store password.

Option 2: Use cert-manager.io

This option is useful, when you do not have a trusted certificate available and can't fetch a certificate from Let’s Encrypt.

1. Create self-signed cert-manager.io Cluster Issuer:

   apiVersion: "cert-manager.io/v1"
   kind: "ClusterIssuer"
   metadata:
     name: "selfsigned-issuer"
   spec:
     selfSigned: {}
   

2. Enable mount and creation of self-signed certificates:

   certificate:
     issuerRef:
       name: "selfsigned-issuer"
     selfSigned: true