In a standard CloudSoda installation, the platform automatically manages DNS and generates valid HTTPS certificates. However, if a customer does not want to use this service, they are responsible for:
- Creating and managing the required DNS records
- Installing signed SSL certificates for HTTPS
DNS Creation
Before installing CloudSoda, a server must be provisioned in accordance with the CloudSoda server guidelines. As outlined in the Reference Architecture Guide, the server should be configured with a single IP address, which must be used for all required Fully Qualified Domain Names (FQDNs). CloudSoda requires the following FQDNs:
cloudsoda.myco.com
agent.cloudsoda.myco.com
api.cloudsoda.myco.com
docs.cloudsoda.myco.com
id.cloudsoda.myco.com
intel.cloudsoda.myco.com
llm.cloudsoda.myco.com
orch.cloudsoda.myco.comIn the example above, “cloudsoda” is the hostname, and “myco.com” is the company’s domain name. The primary FQDN (cloudsoda.myco.com) and its associated IP address are required for the installation process. Please have this information ready before requesting the install form, as it will need to be included.
Certificate Creation
To minimize the cost and complexity of managing individual certificates, we recommend including Subject Alternative Names (SANs) in your SSL certificate. This allows you to use a single certificate that secures all required hostnames. The hostnames that should be included are:
Root domain:
cloudsoda.myco.com
SANs (Subject Alternative Names):
api.cloudsoda.myco.com
docs.cloudsoda.myco.com
id.cloudsoda.myco.com
intel.cloudsoda.myco.com
llm.cloudsoda.myco.com
orch.cloudsoda.myco.comYou may notice that no SSL certificate is requested for the "cloudsoda.agent.myco.com" address. This is because the connection uses UDP and has its own built-in TLS encryption, which does not require an SSL certificate.
Alternatively, this can accept a certificate with the root domain and a wildcard subdomain like:
Root domain:
cloudsoda.myco.com
SANs (Subject Alternative Names):
*.cloudsoda.myco.comGenerating Private Key and Certificate Signing Request (CSR)
Before you can obtain an SSL certificate from a Certificate Authority (CA), you need to generate a private key and a Certificate Signing Request (CSR). Here's how to do this using OpenSSL:
Step 1: Generate the Private Key
First, generate a 2048-bit RSA private key:
openssl genrsa -out cloudsoda.key 2048
Step 2: Create a Configuration File for the CSR
Create a configuration file (cloudsoda.conf) to specify the certificate details and Subject Alternative Names:
[req] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = dn req_extensions = v3_req [dn] C=US ST=California L=San Francisco O=MyCompany Inc OU=IT Department CN=cloudsoda.myco.com [v3_req] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = cloudsoda.myco.com DNS.2 = api.cloudsoda.myco.com DNS.3 = docs.cloudsoda.myco.com DNS.4 = id.cloudsoda.myco.com DNS.5 = intel.cloudsoda.myco.com DNS.6 = llm.cloudsoda.myco.com DNS.7 = orch.cloudsoda.myco.com
Note: Adjust the distinguished name (DN) fields to match your organization's information:
-
C= Country (2-letter code) -
ST= State or Province -
L= Locality/City -
O= Organization name -
OU= Organizational Unit -
CN= Common Name (primary domain)
For a wildcard certificate, you can simplify the [alt_names] section to:
[alt_names] DNS.1 = cloudsoda.myco.com DNS.2 = *.cloudsoda.myco.com
Step 3: Generate the Certificate Signing Request
Using the private key and configuration file, generate the CSR:
openssl req -new -key cloudsoda.key -out cloudsoda.csr -config cloudsoda.conf
Step 4: Verify the CSR
Before submitting to your CA, verify that the CSR contains the correct information:
openssl req -in cloudsoda.csr -text -noout
This command will display the CSR details, including the Subject Alternative Names. Ensure all required domains are listed correctly.
Step 5: Submit to Certificate Authority
Submit the generated cloudsoda.csr file to your chosen Certificate Authority along with any required documentation. The CA will validate your request and issue the signed certificate.
Once you receive the signed certificate from your CA, save it as cloudsoda.crt and proceed with the installation steps below.
Certificate Installation
Once the certificate has been created, combine it with the intermediate certificate (if applicable), then copy both the certificate and the private key to the CloudSoda Controller. Next, SSH into the server and run the following commands:
NAMES="identifier interfacer documenter synaptor tools viewer"
for NAME in $NAMES; do
kubectl -n soda create secret tls "$NAME-certificate-secret" --cert=cert.crt --key=key.key
done
kubectl -n di create secret tls "api-certificate-secret" --cert=cert.crt --key=key.keyIf you receive a message indicating that the secrets already exist, you can safely delete them and then rerun the command above.
NAMES="identifier interfacer documenter synaptor tools viewer"
for NAME in $NAMES; do
kubectl -n soda delete secret "$NAME-certificate-secret"
done
kubectl -n di delete secret api-certificate-secretThis step is only necessary if you encounter an error while creating your certificate secrets. In that case, simply delete the existing secrets and re-run the commands from the previous step.
Once completed, you should be able to browse to https://cloudsoda.myco.com and see a valid SSL certificate in place.
Comments
0 comments
Please sign in to leave a comment.