Skip to main content

Configuring certificates in your Qlik Sense Enterprise on Kubernetes deployment

ON THIS PAGE

Configuring certificates in your Qlik Sense Enterprise on Kubernetes deployment

By default, Qlik Sense Enterprise on Kubernetes is installed with a self-signed certificate that will not be trusted by users browsers. To replace this with a SSL certificate that you own, complete the steps below.

Note: In this example, the certificate is in a file called tls.crt and the associated private key is in a file called tls.key.

Create the secret resource in Kubernetes

  1. Create a file called secret.yaml which will hold the certificate and its key. See the yaml definition below for an example:

    apiVersion: v1
    kind: Secret
    metadata:
      name: my-certificate
      namespace: default
    type: kubernetes.io/tls
    data:
      tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURORENDQWh3Q0NRRHUxeDdVdEdJSjJEQU5CZ2txaGtpRzl3MEJBUXNGQURCY01Rc3dDUVlEVlFRR0V3SkQKUVRFUU1BNEdBMVVFQ0F3SFQyNTBZWEpwYnpFUE1BMEdBMVVFQnd3R1QzUjBZWGRoTVJRd0VnWURWUVFLREF0TQpaWGhqYjNKd0lFbHVZekVVTUJJR0ExVUVBd3dMYkdWNFkyOXljQzVqYjIwd0hoY05NVGd3TmpJM01Ua3hOelV3CldoY05NVGt3TmpJM01Ua3hOelV3V2pCY01Rc3dDUVlEVlFRR0V3SkRRVEVRTUE0R0ExVUVDQXdIVDI1MFlYSnAKYnpFUE1BMEdBMVVFQnd3R1QzUjBZWGRoTVJRd0VnWURWUVFLREF0TVpYaGpiM0p3SUVsdVl6RVVNQklHQTFVRQpBd3dMYkdWNFkyOXljQzVqYjIwd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUQyCndTZk03TDJiTHBnR1VsRERIci8rSUc3YlFONndnTzVMYWdqcnJramFHRjRGcVc0NS9Ha3hHTVhlZzZSTUpuYnkKTTI1RVloY2ZSVllzTmtaQVpCakYzM2ZwNlBqYjhydzhZV016RnJMOUtkeG8rZEtYSE14MTkvaExTaS82QTJOMgpBNzJta1krT2JmMHl0R1B5aEZVY0lEZEFxbWtGTitoTXlGZjQwS0l5VS94NjZMVHhsYjZLQm1uZm9LK3VlNStZCmVxcGVLRkhBZkZwK1NFSG5UMkNJZXdmQXR0Z29NL3dyREZVcENPS0sxZEJMUytzbzBZOUFCWG9wRm05U1RGV00KNVdZMno1NWdoa1l6UUpmemlRMC9WZkppamdMWmhwcjRCRVAwaXV0dlRIczhrSFIyUTJqSkxVNEpncFViTnlXOQpUejFLQzhMVGpiL1J4RVJCK01FWkFnTUJBQUV3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUlJSitsc2tlcUwzClpPVmxwNm1ZakRmRGt5Z1dkQVlCU0pINDdidHJkQUZrSlpQVVVMTzl6cTAxd0VBUHArRzFqZGUzSG42QmtyM0cKcklsRFZEckFobGRLR0hONS9BMXdoMjBxVlNKZzBkV25ielJnSVlkK0ljdjhIa1RORGlUSDRxWHRjUHR2VHQ0NgphTmJUOHc2THl0Sm9YRWNZVEQzcjVXdERKWHFodkdHUjVLNU1Ubmo3QmZxcXNsS2M4ZUZVbFdxOUpJZEZGZGRNClNzbHlhdE1zbk9YMGxtdDc4VnZYRFJ1RU5RM3BYUU1wNkhyQ3ZHRnY0NlhLRE5scVNyZm9vSURvbHBaUW5CdHAKWmdGZHc4U3VtMW91NVo1V0QxeW9XYkdLdFlLaTFiZkdNRHlsNURqZHdIakk0dG5GZk5LQ2E5TGZMdG5hS2V2RwprcS8wOTBtcjJxcz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
      tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBOXNFbnpPeTlteTZZQmxKUXd4Ni8vaUJ1MjBEZXNJRHVTMm9JNjY1STJoaGVCYWx1Ck9meHBNUmpGM29Pa1RDWjI4ak51UkdJWEgwVldMRFpHUUdRWXhkOTM2ZWo0Mi9LOFBHRmpNeGF5L1NuY2FQblMKbHh6TWRmZjRTMG92K2dOamRnTzlwcEdQam0zOU1yUmo4b1JWSENBM1FLcHBCVGZvVE1oWCtOQ2lNbFA4ZXVpMAo4WlcraWdacDM2Q3ZybnVmbUhxcVhpaFJ3SHhhZmtoQjUwOWdpSHNId0xiWUtEUDhLd3hWS1FqaWl0WFFTMHZyCktOR1BRQVY2S1JadlVreFZqT1ZtTnMrZVlJWkdNMENYODRrTlAxWHlZbzRDMllhYStBUkQ5SXJyYjB4N1BKQjAKZGtOb3lTMU9DWUtWR3pjbHZVODlTZ3ZDMDQyLzBjUkVRZmpCR1FJREFRQUJBb0lCQVFEaW9FNU1vTllYazNpZQp2YlZkTDMzSUNjT203WEpaaTJEUXRLZFN4alEwMHBKd0FzZXd6QWxVeFZyZDNldms0S0w0R1pKWmpmbU1oK0w0CklqVHRhTUZ6NHFWQW1POFBHMllVMHFFSVIvM0dGRTlSdnJqU2Z1bXVJenZROG1jVDZVN05FZXg1OGxCMTBNRHUKYzgwajdMUTZhOEF6VFErOWNqYVJacU9kYXdpOHpLWnVpdkhRazFXelU0eTZyYUhRSEliVnZOWHAxMEx0K1RKYQpsRk83RlVwOG05bGh5UllqSy9Vczd6Y0JOaWVRSWRTVGV6QkUvNzlwY0d4Vmd0Yk4xYTkyS2FjR0YzQWpzODF4CnNSQkc2Z2dMbTJ4U25Qdng2Y1ZvRkw4VVNERUtOcDJBKzNnZlh0ZWg4RWNQSDNVcEZNT29YK0swRkh5bUxnY08KZ1g2R0U4OGRBb0dCQVA1MDZaRlcrTTRpbG1ibk42VEFoeVpjbXY3RW1oVDJDb3NaeGUwbUYwcGE4YVUzWmhoOAorUk5nYk4rTjAwbWU3cmtmd2F6L2pMZUpxYUhibTdFSXdENWVQakRsR2lRMmh3L0ZPdzhCWkc5OFYzZVJBblQzCmE3UWxCVmRJcGRUaDVHYjlPbDhFbmN0Ti9ncXdaRi9Xa2wwSmF5VXpHdzg0elFsMm4vRWg1MitqQW9HQkFQaEEKU0wzL3NCK3U2aDkzSUdBOFR4UURPQjJXMnFpY1g4aXkrd3p2U056Z1BCRTlTZTFSQytCMHNPZnV5NStGYUw1OApuazVPSnVjeWVuNXlkYTB1dndaV0ZFUWtkVGxtclRIV3F1d1ZCWWpad1RzVHBuTFp6TWg1ZWE2TTEzV3ZRamdOClRGK1pENUd1QUZuaEpkaHlFbGg5NllpVXFvZkhCbVByYlVsMzNpZ1RBb0dCQU9scXFjOXZMckU1UFNxTU01am8KRzVIdkpTZExoZVJ3aHQ5dTl3ZENCOTluYVgrYlFBWjZyYWsrck9DdG93Skh6c2oyL3AwSmx6WE9ERk96dGpCQgp6TWZwZjdjdWtqcGg0cWR1ejJ4R1pMRjRLR3hBRXpia3VHSDZDOW96aEJ1eVUraTlwa3YvV2hoakpRVDlKalpjCkNNdGJsblA3VzNrdEs3amdubnQrRkdWdEFvR0JBTHk5RXhEdzdsU0lSWk82bkRET2FVakwwY1FkUnd6ZUpxeU4KOXZTMGorN3R4SDFPM1gvQ0dJZUQ4R1BGVjZabVpXWTlsSlh3TVAraGp5UEhuZFFYTUVCKy9WVjVhbTVEcy9XcQpRYlRQbnErVzdxUWRvblM3UmtnOG90aWtWOE12aGViYnBXOGhEWWN5aFMzUVVWZW9FbTZZL0E1TkNRSEZ2UVFHCm44WTFqZjlsQW9HQUM2UFFYZ3dwOTdudzMrWnZBeDJSUktqOHA2VUtraXVpRUlTQnM2ekR4c2hxdHJqR2VpaUQKRDNUNnBHVmhlYU94Y05reFRIVTlCcVo4blNxd080cThjS2xLdXB0SkZFcFNtOVMrMWMveFdvNTdyWlVuNWlLbApDQzFWTkR6anYrRWNjU1FjOGJPZUxTRjd4cjRyYTdnK3pRR0lSdXlvK005TDVBbjJxaEphM1ZRPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
  2. You can give the name field a meaningful name. In this example we've use my-certificate.

    The tls.crt field is the base64 encoded value of your certificate. You can get this value using the following command:

    cat tls.crt | base64
  3. The base64 decoded value will be displayed on the screen. Enter it for the tls.crt value in your .yaml file.
  4. Do the same for the tls.key:
    cat tls.key | base64
  5. Enter the resulting base64 value in your .yaml file.
  6. Now create the secret resource in Kubernetes using the following command:
    kubectl apply -f secret.yaml
  7. You can verify the secret has been created using the following command:
    kubectl get secret my-certificate

Configure the Ingress to use the Certificate

  1. Configure the Qlik Sense ingress to use the secret created in the previous procedure by adding the following to your values.yaml file:
    # References the “my-certificate” secret created within the “default” namespace
    elastic-infra:
     nginx-ingress:
       controller:
         extraArgs:
           default-ssl-certificate: "default/my-certificate"
  2. Update your cluster using the following command:
    helm upgrade --install qliksense qlik/qliksense -f values.yaml

Verifying the certificate with your browser

  • Using your browser, go to the domain you configured to verify the certificate presented by Qlik Sense’s ingress controller.

Using self-signed certificates and certificates not issued by public CA

Note: Works on Qlik Sense Enterprise on Kubernetes December 2019 and later.

If your identity provider is using a self-signed certificate or a certificate that is not issued by a public Certificate Authority (CA), the CA certificate chain needs to be added in the values.yaml file:

global:
  certs:
    enabled: true
    configMap:
      create: true
      name: "{{ .Release.Name }}-ca-certs"
      certs: |+
        -----BEGIN CERTIFICATE-----
        MIIDLDCCAhSgAwIBAgIQANxWuceSqgA8h3fJ1Q7ZiTANBgkqhkiG9w0BAQsFADAm
        MSQwIgYDVQQDDBtRbGlrU2VydmVyMi5kb21haW4ubG9jYWwtQ0EwHhcNMTcwOTA5
        MTA1NjMwWhcNMjcwOTE2MTA1NjMwWjAmMSQwIgYDVQQDDBtRbGlrU2VydmVyMi5k
        b21haW4ubG9jYWwtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCZ
        mnjqNBml1RU6vbRlakPNrCasFZSherijN4Rzj54BMb0cljC2ZfOnve2ZS5k27Dp9
        Yt/S30B6MQTRNZBCOCOw3jqnOW87iemxhoE713EkF+zNcWnhHRA53+be1iIhV+kE
        fyFl6/4QQmUmZo2hu6gIajmdtZvM/CgjiPdF5a6KQp4WHA339afuIMR5KQe1Qt7E
        xqaTbh7niOJEXZXSHcbT80sFam4O36rGMpjuseDbJgsIlLGSw1QwnIxWf+bFlbiD
        +2XJclAVXt+BCrsYfBXd3akLDulStW+X9SFFqX1V8+rkDdOV8lffaNhN6K4HQeBG
        ...
        LmIMzgUM9+baRYUwC552X6+szY55xqY210yjFGSqrZDyyrJMi9RhDhSL1ZqIIJDm
        kpjNMY87Qa/c2slWTjg9lE/550nBFZfQoD1zODVALCil9Tlb43wRsn8nMdD4U6Qz
        cgYfPkhRw2oUZuZwTmPOIYMrWPmmGXY4T9lZrq5afS7p+et1TKXZEZAC7akXDYL4
        CRjjXsfxmDaxy8sefg+L0nHgvESc1hWEBD2LlVVWbZCFi4MrwkkDyik5NWu6GkN2
        2xi+CJX3EBhHb1aFVDGd5dBSv3agXatsAnUMzxquuvtKbrURbMfyPCyiAZwlG9AN
        -----END CERTIFICATE-----

Then run the following command to apply:

helm upgrade --install qliksense qlik/qliksense -f values.yaml

Reference

  • enabled: enables (true) or disables (false) the usage of a global CA certificate.
  • create: enables (true) or disables (false) the creation of a CA certificate configMap.
  • name: the templated CA certificate configMap name based on the release name.
  • certs: the global CA certificate chain. This replaces any existing CA trust chain.