Provide for signed certificates about vcenter-event-broker-appliance HOT 7 CLOSED

Updating the Certificate on VEBA

 
The default certificate for OpenFaaS (/ui) or the EventBridge (/stats) and the other web endpoints running on VEBA are self signed. This might cause browsers to show the certificate as untrusted and would require you to specify the --no-tls-verify flag when working with faas-cli. We understand that this may be an inconvenience or unacceptable to some of our customers.
 
In order to update the certificates with a certificate from a trusted authority, please follow the steps outlined below
 
Assumptions

• Access to the VEBA
• Certificates from a trusted authority
  • The public/private key pair must exist before hand. The public key certificate must be .PEM encoded and match the given private key.

Steps

• Run the below commands to update the certificate on VEBA

cd /folder/certs/location
CERT_NAME=eventrouter-tls 
KEY_FILE=vebaof.pem
CERT_FILE=vebaof.cer

#recreate the tls secret
kubectl --kubeconfig /root/.kube/config -n vmware delete secret ${CERT_NAME}
kubectl --kubeconfig /root/.kube/config -n vmware create secret tls ${CERT_NAME} --key ${KEY_FILE} --cert ${CERT_FILE}

#reapply the config to take the new certificate
kubectl --kubeconfig /root/.kube/config apply -f /root/ingressroute-gateway.yaml

This video shows the steps being run on a lab environment and successfully update the certs for VEBA setup with OpenFaaS - https://youtu.be/7oMCvxvL2ns

from vcenter-event-broker-appliance.

Thanks for the feedback. Regarding custom certificates, this certainly make sense, especially from a security point of view and not having to disable TLS checking when deploying functions.

Having said that, given this is currently a Fling and we have a finite amount of resources and have to prioritize where we spend our time to ensure we get feedback on the overall solution. Is not having the ability to deploy your own custom certificates a blocker from trying out VEBA or is this more of an ask for Production deployment? We can certainly investigate into #1 to see if its possible to update the certificates post-deployment (@embano1 to comment) but wanted to understand if this is completely blocking you from trying out VEBA (which we recommend doing so in a development environment)

from vcenter-event-broker-appliance.

from vcenter-event-broker-appliance.

Awesome Aaron, let us know how testing goes in your lab! I'd also like to mention we've got a temp Product Manager for VEBA, if you'd like to have a more in-depth conversation on the things you'd like to see (if) VEBA gets productized, we'd certainly welcome the feedback as well as anything else you see from the current Fling to make it more usable. Just let me know and we can connect offline

from vcenter-event-broker-appliance.

Aaron, I'm the PM for VEBA and I'd happy to discuss VEBA, documentation needs and functions that you are looking to take advantage of or develop yourself. Let me know and i'm happy to jump on a call.

from vcenter-event-broker-appliance.

This has been addressed with the documentaton on - https://vmweventbroker.io/kb/advanced-certificates. @meyeaard let us know if we are good to close this issue.

from vcenter-event-broker-appliance.

from vcenter-event-broker-appliance.