Ingress Installation
Follow one of the processes outlined on this page to configure an ingress with a Cortex Certifai instance.
Installation with "Pluggable" Ingress
Info
Certifai does not ship an Ingress controller; it makes use of the controller already available on your cluster.
This section explains how to create your own Ingress resources if you're using a different Ingress Controller or need to make use of additional annotations that are not added by Certifai to its auto-created Ingress resources.
Edit the certifai-cr.yaml
that you created in installation section to:
Set
create-ingress
to be false for console, policy, scan manager and dexNOTE
Pluggable ingress is not supported by RedHat OpenShift; omit this parameter in the
certifai-cr.yaml
for that platform.Set the
dex-url
to be consistent with the domain name that will be used in the dex ingressSet
tls secret
for dexSet the
console-url
Set
tls secret
for consoleSet the
policy-url
Set
tls secret
for policySet the
scan-manager-url
Set
tls secret
for scan manager
apiVersion: cortex.cognitivescale.com/v1kind: Certifaimetadata: name: default-certifai # namespace should match the namespace set in the subscription defined earlier in the Enterprise Configuration section namespace: certifaispec: deployment-type: k8s dex: #enable dex to act as the oidc provider enabled: true #set create-ingress to false to enable definition of custom ingress create-ingress: false tls-secret: tls secret name which contains tls certificates dex-url: https://dex.mydomain.com replicas: 1 #dex auth provider connector connector: type: github name: Github client-id: github oauth app client id client-secret: github oauth app client secret #additional configurations as found in https://github.com/dexidp/website/tree/main/content/docs/connectors add-config: | orgs: - name: org-to-provide access to console: create-ingress: false tls-secret: tls secret name which contains tls certificates console-url: External Console URL replicas: 1 route-type: oauth authorization-type: rbac s3: access-key: your access key endpoint: 'https://s3.amazonaws.com' secret-key: your secret key verify-cert: false scan-dir: path to the storage bucket or container reference-model: enabled: true policy: create-ingress: false tls-secret: tls secret name which contains tls certificates policy-url: External policy URL s3: access-key: your access key endpoint: 'https://s3.amazonaws.com' secret-key: your secret key verify-cert: false enabled: true questionnaire-dir: path to the storage bucket or container authorization-type: rbac replicas: 1 route-type: oauth scan-manager: enabled: false create-ingress: true replicas: 1 scan-data-dir: "" scan-manager-url: External Scan Manager URL tls-secret: tls secret name which contains tls certificates reporting: enabled: true period: "*/15 * * * *" db-conn-str: "postgresql://user:password@service:port/db"
This setup does not create the ingress resources for console, policy, scan manager, and dex, which depend on the value of the create-ingress
field.
Create your ingress resources with the appropriate annotations for your ingress controller (Nginx and NginxPlus ingress controller set up is described below).
Create and apply ingress resources
Edit the ingress.yaml files (examples below)
Certifai expects the name of the custom ingress resources for Console, policy, scan manager, and Dex to be named
console
,policy
,scan-manager
, anddex
respectively.The
servicePort
must beoauth-proxy
if you're setting up oauth; otherwise assign that field8000
for console,8001
for policy, and8003
for scan manager.Edit the
host
field with your desired domain name. The value should match the correspondingconsole-url
,policy-url
,scan-manager-url
, ordex-url
field from yourcertifai-cr.yaml
file.ALERT
The name must be unique; if the name is already in use, the system will fail.
Set
create-ingress
tofalse
to enable definition of custom ingress.External dex URL must be consistent in
certifai-cr.yaml
and theingress-dex.yaml
host.
Save files respectively as
ingress-console.yaml
,ingress-policy.yaml
,ingress-scan-manager.yaml
, andingress-dex.yaml
.After your resource files are configured, apply them by running:
kubectl apply -f <file-name> -n <your_namespace>Example:
kubectl apply -f ingress-console.yaml -n <your_namespace>
Set up NGINX ingress controller
Three ingress resources (yaml files) for console, policy, and dex are created as follows for NGINX.
Ingress Controller: https://kubernetes.github.io/ingress-nginx/
Example NGINX Console ingress.yaml:
apiVersion: extensions/v1beta1kind: Ingressmetadata: name: console annotations: kubernetes.io/ingress.class: "nginx"spec: rules: - host: console.mydomain.com http: paths: - path: / backend: serviceName: certifai-console servicePort: oauth-proxy tls: - hosts: - console.mydomain.com secretName: certifai-console-tls
Example NGINX Policy ingress.yaml
apiVersion: extensions/v1beta1kind: Ingressmetadata: name: policy annotations: kubernetes.io/ingress.class: "nginx"spec: rules: - host: policy.mydomain.com http: paths: - path: / backend: serviceName: certifai-policy servicePort: oauth-proxy tls: - hosts: - policy.mydomain.com secretName: certifai-policy-tls
Example NGINX Scan Manager ingress.yaml
apiVersion: extensions/v1beta1kind: Ingressmetadata: name: scan-manager annotations: kubernetes.io/ingress.class: "nginx"spec: rules: - host: scan-manager.mydomain.com http: paths: - path: / backend: serviceName: certifai-scan-manager servicePort: oauth-proxy tls: - hosts: - scan-manager.mydomain.com secretName: certifai-scan-manager-tls
Example NGINX Dex ingress.yaml
apiVersion: extensions/v1beta1kind: Ingressmetadata: name: dex annotations: kubernetes.io/ingress.class: "nginx"spec: rules: - host: dex.mydomain.com http: paths: - path: / backend: serviceName: dex servicePort: dex tls: - hosts: - dex.mydomain.com secretName: dex-tls
Set up NginxPlus Ingress Controller
Three ingress resources (yaml files) for console, policy, scan manager, and Dex are created as follows for nginxPlus.
Ingress Controller: https://github.com/nginxinc/kubernetes-ingress
Example NginxPlus Console ingress.yaml
apiVersion: extensions/v1beta1kind: Ingressmetadata: name: console annotations: kubernetes.io/ingress.class: "nginx" ingress.kubernetes.io/ssl-redirect: "false"spec: rules: - host: console.mydomain.com http: paths: - path: / backend: serviceName: certifai-console servicePort: oauth-proxy tls: - hosts: - console.mydomain.com secretName: certifai-console-tls
Example NginxPlus Policy ingress.yaml
apiVersion: extensions/v1beta1kind: Ingressmetadata: name: policy annotations: ingress.kubernetes.io/ssl-redirect: "false" kubernetes.io/ingress.class: nginxspec: rules: - host: policy.mydomain.com http: paths: - path: / backend: serviceName: certifai-policy servicePort: oauth-proxy tls: - hosts: - policy.mydomain.com secretName: certifai-policy-tls
Example NginxPlus Scan Manager ingress.yaml
apiVersion: extensions/v1beta1kind: Ingressmetadata: name: scan-manager annotations: ingress.kubernetes.io/ssl-redirect: "false" kubernetes.io/ingress.class: nginxspec: rules: - host: scan-manager.mydomain.com http: paths: - path: / backend: serviceName: certifai-scan-manager servicePort: oauth-proxy tls: - hosts: - scan-manager.mydomain.com secretName: certifai-scan-manager-tls
Example NginxPlus Dex ingress.yaml
apiVersion: extensions/v1beta1kind: Ingressmetadata: name: dex annotations: kubernetes.io/ingress.class: "nginx" nginx.org/ssl-services: "dex"spec: rules: - host: dex.mydomain.com http: paths: - path: / backend: serviceName: dex servicePort: dex tls: - hosts: - dex.mydomain.com secretName: dex-tls
Next Steps
- Provide access to users of this Cortex Certifai instance by following the guide described at Certifai Roles.
- Run a verification scan.