Skip to main content
Skip table of contents

Deploy RA and VA in Kubernetes with Ingress with TLS passthrough

ENTERPRISE

EJBCA can be deployed using any Ingress that supports TLS passthrough. In this setup, TLS is terminated by the NGINX or Apache HTTPD sidecar running inside each Pod, rather than at the Ingress controller. This configuration closely follows Deploy RA and VA in Kubernetes with LoadBalancer service.

All other deployment steps are the same as for LoadBalancer deployments, but the Helm chart uses an ingress section and omits the service.type section in the sidecar configuration.

Example Helm chart snippet

YAML 
nginx:
  enabled: true
  host: "ejbcara.example.com"
  mountInternalNginxCert: true
  secretInternalNginxCert: "internal-nginx-credential-secret-ra1"

ingress:
  enabled: true
  # indicates TLS pass through
  sslBackend: true
  hosts:
    - host: "ejbcara.example.com"
      paths:
        - path: /
          pathType: Prefix

Full values.yaml example

YAML 
image:
  variant: ra
  #variant: va
  pullPolicy: IfNotPresent
imagePullSecrets:
  - name: keyfactor-registry
ejbca:
  license: ejbca-license-secret
  configdumpImport:
    enabled: true
    initialize: true
    configMapName: ejbca-ra-init-configmap
    configMapKey: configdump.json
  env:
    TLS_SETUP_ENABLED: "later"
    DATABASE_JDBC_URL: "jdbc:mariadb://ra-database-service:3306/ejbca?characterEncoding=utf8"
  envRaw:
    - name: DATABASE_USER
      valueFrom:
        secretKeyRef:
          name: ejbcadbcredentials
          key: database_user
    - name: DATABASE_PASSWORD
      valueFrom:
        secretKeyRef:
          name: ejbcadbcredentials
          key: database_password
nginx:
  enabled: true
  host: "ejbcara.example.com"
  mountInternalNginxCert: true
  secretInternalNginxCert: "internal-nginx-credential-secret-ra1"

ingress:
  enabled: true
  # indicates TLS pass through
  sslBackend: true
  hosts:
    - host: "ejbcara.example.com"
      paths:
        - path: /
          pathType: Prefix

# replicaCount: 2
autoscaling:
  enabled: true
  minReplicas: 2
  maxReplicas: 5
  targetCPUUtilizationPercentage: 60
resources:
  limits:
    cpu: "1"

Next Steps

This demonstrates how to complete an RA and VA deployment using Ingress with TLS passthrough. You can verify connectivity and TLS functionality as described in Deploy RA and VA in Kubernetes with LoadBalancer service.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close