Certificates

Certificates are required in the following scenarios:

Kubeark Identity generates a self-signed certificate on the first start, which is valid for 1 year and can be used as a default for all OAuth2/OIDC providers. This certificate is also usable for SAML providers/sources, although it should be rotated regularly since some SAML applications require valid certificates. Kubeark allows users to generate a longer-validity certificate for SAML use-cases.

Kubeark allows for the use of externally managed certificates through the discovery feature. For docker-compose installations, the /certs directory can be used as an output directory for certbot. For Kubernetes, custom secrets/volumes can be mapped under /certs. Single files can also be bind-mounted into the folder following a specific naming schema. Files in the root directory will be imported as certificate or private key based on their filename and contents. If the file is named fullchain.pem or privkey.pem, they will get the name of the parent folder. Files can have any arbitrary file structure and extension, but if the path contains "archive," the files will be ignored to better support certbot setups.

Certificates can also be imported manually. To do so, run the following command within the worker container

The default webserver certificate can be configured if you wish to create a very compact and self-contained install.

Step 1: Encrypt certificates with this setup, using certbot, you can use this compose override (create or edit a file called docker-compose.override.yml in the same folder as the docker-compose file)

Step 2: run docker-compose up -d, which will start certbot and generate your certificate. Within a few minutes, you'll see the certificate in your identity interface. (If the certificate does not appear, restart the worker container. This is caused by incompatible permissions set by certbot).