TLS certificates

The entire Science Platform uses the same external hostname and relies on NGINX merging all the ingresses into a single virtual host with a single TLS configuration. As discussed in Hostnames and TLS, TLS for the Science Platform can be configured with either a default certificate in ingress-nginx or through Let’s Encrypt with the DNS solver.

If an installation is using Let’s Encrypt with the DNS solver, no further configuration of the NGINX ingress is required. See cert-manager for setup information.

When using a commercial certificate, that certificate should be configured in the values-*.yaml for ingress-nginx for that environment. Specifically, add the following under ingress-nginx.controller:

extraArgs:
  default-ssl-certificate: "ingress-nginx/ingress-certificate"

And at the top level, add:

vaultCertificate:
  enabled: true

Then, in the Vault key named ingress-nginx in the Vault enclave for that environment, store the commercial certificate. The Vault secret must have two keys: tls.crt and tls.key. The first must contain the full public certificate chain. The second must contain the private key (without a passphrase).

For an example of an environment configured this way, see /applications/ingress-nginx/values-minikube.yaml