Skip to main content
Tungsten Dashboard

Configuring SSL when Deploying with Kubernetes

When deploying through Kubernetes there are two options available, these are as follows:

Basic SSL Connection To REST API only

...
api-ssl: true
api-cert: "<base64-encoded-certificate>"
ssl: false
...

The above setup allows HTTPS connections to the socket without a certificate for the TCP connection to the cluster.

To enable TCP SSL you must provide a certificate for the TCP connection.

SSL with Self-Signed Certificates

...
api-ssl: true
api-cert: "<base64-encoded-certificate>"
ssl: true
cert: "<base64-encoded-certificate>"
hostname-validation: false
...

For a self-signed certificate setup, provide both certificates as base64-encoded values and disable the hostname validation for the HTTPS protocol. hostname-validation can be left on for certificates signed by a trusted authority.

To gather the certificates, you should use the getcert.pl tool.

The hostname-validation setting can be configured in three ways:

  1. Per cluster in clusters.json using the hostname-validation field
  2. Globally in DASHBOARD_HOSTNAME_VALIDATION environment variable.
  3. Globally in config.json using the hostname-validation field

If none are specified, hostname-validation defaults to true

Priority order:

  1. Cluster-specific setting in clusters.json (highest priority)
  2. DASHBOARD_HOSTNAME_VALIDATION environment variable.
  3. Global setting in config.json
  4. Default value of true (lowest priority)

When hostname validation is:

  • Enabled: The certificate's hostname must match the server's hostname.
  • Disabled: The certificate is still verified, but the hostname matching is skipped. This is mostly the scenario for self-signed certificates.
important

When hostname validation is disabled (either per cluster or globally), a certificate must be provided:

  • If hostname-validation=false is set for a specific cluster, that cluster must include a cert field
  • If hostname-validation=false is set globally in config.json, all SSL-enabled clusters must include a cert field
  • This requirement ensures secure connections even when hostname matching is skipped