Provide SSL Certificates for Your Defined Customers and Cages
Providing SSL Certificates to Nucleator Stacksets
Certain stacksets (for example, nucleator-core-builder) require SSL Certificates to validate that the server with which clients are communicating is authentic and to provide for encryption of the https:// communication link.
Because certificates are strongly related to your nucleator siteconfig, SSL Certificates are provided to nucleator stacksets within your customized siteconfig repository. You can provide certificates that you have generated and signed yourself, or certificates that you have procured that have been signed by a trusted Certificate Authority (CA).
Nucleator's builder stackset expects certificates to be present in your siteconfig in a pkcs12-formatted certificate bundle that includes the signed server certificate, the private key used to generate the certificate, and a certificate bundle provided by your chosen CA to establish chain-of-trust (if required).
Nucleator provides a utility script, make_certificate_bundle , that can be used to generate a self-signed wildcard certificate for a specified cage, and package the results into the required pkcs12-format certificate bundle. Instructions to find and use the utility are included in this README-ssl.md markdown document.
You can generate and provide a pkcs12-format bundle that includes certificates signed by your certificate authority using the same steps taken within the make_certificate_bundle utility script.
Add, commit and push configuration changes to your personal siteconfig repository
After generating your certificate bundles, you'll need to add and commit them to your personal siteconfig git repository:
git add --all :/git commit -m "added SSL certificate bundles"git push |
In the subsequent steps, Nucleator will clone the repository that you have specified to access your current configuration, so it is important that you have comitted and pushed your changes.
Summary
Use the make_certificate_bundle script to generate a self-signed certificate and package it together with its private key into a .pkcs12-format certificate bundle for each of your nucleator cages where you will deploy Stacksets that require SSL certificates (including the `build` cage, where the `builder` stackset deploys). If you have procured certificates from a Certificate Authority, use steps similar to those in the make_certificate_bundle script to generate the certificate bundle. Commit each of these bundles to your personal siteconfig repository.
Generate SSL Certificate Bundles
cd <personal_siteconfig_clone>/ansible/roles/siteconfig/vars
make_certificate_bundle <customer> <cage> <customer_domain> <pkcs12_password>
# repeat above for each Cage that requires an SSL Certificate
git add --all :/git commit -m "added SSL certificate bundles"git push
Next: Update Chosen Stacksets