Cortex CertifaiIngress Installation
Follow one of the processes outlined on this page to to configure an ingress with a Cortex Certifai instance.
Installation with "Pluggable" Ingress
Info
Certifai does not ship an Ingress controller; it makes use of the controller already available on your cluster.
This section explains how to create your own Ingress resources if you're using a different Ingress Controller or need to make use of additional annotations that are not added by Certifai to its auto-created Ingress resources.
Edit the certifai-cr.yaml that you created in installation section to:
Set
create-ingressto be false for console, policy, scan manager and dexNOTE
Pluggable ingress is not supported by RedHat OpenShift; omit this parameter in the
certifai-cr.yamlfor that platform.Set the
dex-urlto be consistent with the domain name that will be used in the dex ingressSet
tls secretfor dexSet the
console-urlSet
tls secretfor consoleSet the
policy-urlSet
tls secretfor policySet the
scan-manager-urlSet
tls secretfor scan manager
apiVersion: cortex.cognitivescale.com/v1kind: Certifaimetadata: name: default-certifai # namespace should match the namespace set in the subscription defined earlier in the Enterprise Configuration section namespace: certifaispec: deployment-type: k8s dex: #enable dex to act as the oidc provider enabled: true #set create-ingress to false to enable definition of custom ingress create-ingress: false tls-secret: tls secret name which contains tls certificates dex-url: https://dex.mydomain.com replicas: 1 #dex auth provider connector connector: type: github name: Github client-id: github oauth app client id client-secret: github oauth app client secret #additional configurations as found in https://github.com/dexidp/website/tree/main/content/docs/connectors add-config: | orgs: - name: org-to-provide access to console: create-ingress: false tls-secret: tls secret name which contains tls certificates console-url: External Console URL replicas: 1 route-type: oauth authorization-type: rbac s3: access-key: your access key endpoint: 'https://s3.amazonaws.com' secret-key: your secret key verify-cert: false scan-dir: path to the storage bucket or container reference-model: enabled: true policy: create-ingress: false tls-secret: tls secret name which contains tls certificates policy-url: External policy URL s3: access-key: your access key endpoint: 'https://s3.amazonaws.com' secret-key: your secret key verify-cert: false enabled: true questionnaire-dir: path to the storage bucket or container authorization-type: rbac replicas: 1 route-type: oauth scan-manager: enabled: false create-ingress: true replicas: 1 scan-data-dir: "" scan-manager-url: External Scan Manager URL tls-secret: tls secret name which contains tls certificates reporting: enabled: true period: "*/15 * * * *" db-conn-str: "postgresql://user:password@service:port/db"This setup does not create the ingress resources for console, policy, scan manager, and dex, which depend on the value of the create-ingress field.
Create your ingress resources with the appropriate annotations for your ingress controller (Nginx and NginxPlus ingress controller set up is described below).
Create and apply ingress resources
Edit the ingress.yaml files (examples below)
Certifai expects the name of the custom ingress resources for Console, policy, scan manager, and Dex to be named
console,policy,scan-manager, anddexrespectively.The
servicePortmust beoauth-proxyif you're setting up oauth; otherwise assign that field8000for console,8001for policy, and8003for scan manager.Edit the
hostfield with your desired domain name. The value should match the correspondingconsole-url,policy-url,scan-manager-url, ordex-urlfield from yourcertifai-cr.yamlfile.ALERT
The name must be unique; if the name is already in use, the system will fail.
Set
create-ingresstofalseto enable definition of custom ingress.External dex URL must be consistent in
certifai-cr.yamland theingress-dex.yamlhost.
Save files respectively as
ingress-console.yaml,ingress-policy.yaml,ingress-scan-manager.yaml, andingress-dex.yaml.After your resource files are configured, apply them by running:
kubectl apply -f <file-name> -n <your_namespace>Example:
kubectl apply -f ingress-console.yaml -n <your_namespace>
Set up NGINX ingress controller
Three ingress resources (yaml files) for console, policy, and dex are created as follows for NGINX.
Ingress Controller: https://kubernetes.github.io/ingress-nginx/
Example NGINX Console ingress.yaml:
apiVersion: extensions/v1beta1kind: Ingressmetadata: name: console annotations: kubernetes.io/ingress.class: "nginx"spec: rules: - host: console.mydomain.com http: paths: - path: / backend: serviceName: certifai-console servicePort: oauth-proxy tls: - hosts: - console.mydomain.com secretName: certifai-console-tlsExample NGINX Policy ingress.yaml
apiVersion: extensions/v1beta1kind: Ingressmetadata: name: policy annotations: kubernetes.io/ingress.class: "nginx"spec: rules: - host: policy.mydomain.com http: paths: - path: / backend: serviceName: certifai-policy servicePort: oauth-proxy tls: - hosts: - policy.mydomain.com secretName: certifai-policy-tlsExample NGINX Scan Manager ingress.yaml
apiVersion: extensions/v1beta1kind: Ingressmetadata: name: scan-manager annotations: kubernetes.io/ingress.class: "nginx"spec: rules: - host: scan-manager.mydomain.com http: paths: - path: / backend: serviceName: certifai-scan-manager servicePort: oauth-proxy tls: - hosts: - scan-manager.mydomain.com secretName: certifai-scan-manager-tlsExample NGINX Dex ingress.yaml
apiVersion: extensions/v1beta1kind: Ingressmetadata: name: dex annotations: kubernetes.io/ingress.class: "nginx"spec: rules: - host: dex.mydomain.com http: paths: - path: / backend: serviceName: dex servicePort: dex tls: - hosts: - dex.mydomain.com secretName: dex-tlsSet up NginxPlus Ingress Controller
Three ingress resources (yaml files) for console, policy, scan manager, and Dex are created as follows for nginxPlus.
Ingress Controller: https://github.com/nginxinc/kubernetes-ingress
Example NginxPlus Console ingress.yaml
apiVersion: extensions/v1beta1kind: Ingressmetadata: name: console annotations: kubernetes.io/ingress.class: "nginx" ingress.kubernetes.io/ssl-redirect: "false"spec: rules: - host: console.mydomain.com http: paths: - path: / backend: serviceName: certifai-console servicePort: oauth-proxy tls: - hosts: - console.mydomain.com secretName: certifai-console-tlsExample NginxPlus Policy ingress.yaml
apiVersion: extensions/v1beta1kind: Ingressmetadata: name: policy annotations: ingress.kubernetes.io/ssl-redirect: "false" kubernetes.io/ingress.class: nginxspec: rules: - host: policy.mydomain.com http: paths: - path: / backend: serviceName: certifai-policy servicePort: oauth-proxy tls: - hosts: - policy.mydomain.com secretName: certifai-policy-tlsExample NginxPlus Scan Manager ingress.yaml
apiVersion: extensions/v1beta1kind: Ingressmetadata: name: scan-manager annotations: ingress.kubernetes.io/ssl-redirect: "false" kubernetes.io/ingress.class: nginxspec: rules: - host: scan-manager.mydomain.com http: paths: - path: / backend: serviceName: certifai-scan-manager servicePort: oauth-proxy tls: - hosts: - scan-manager.mydomain.com secretName: certifai-scan-manager-tlsExample NginxPlus Dex ingress.yaml
apiVersion: extensions/v1beta1kind: Ingressmetadata: name: dex annotations: kubernetes.io/ingress.class: "nginx" nginx.org/ssl-services: "dex"spec: rules: - host: dex.mydomain.com http: paths: - path: / backend: serviceName: dex servicePort: dex tls: - hosts: - dex.mydomain.com secretName: dex-tlsNext Steps
- Provide access to users of this Cortex Certifai instance by following the guide described at Certifai Roles.
- Run a verification scan.