Prerequisites

Before deploying EJBCA and SignServer to cloud environments, ensure that the following systems and tools are in place:

External access management:
- It is recommended that TLS connections are terminated at the EJBCA pod. The EJBCA pod includes a proxy configured with TLS credentials. This ensures that plain HTTP communication never leaves the node and enables certificate-based authentication.
  - Any Ingress that allows TLS passthrough or SNI can be used. This type of Ingress is functionally equivalent to a Network Load Balancer provided by cloud service providers. You may apply additional annotations using ingress.annotations, for example: haproxy.org/ssl-passthrough: "true".
  - A Network Load Balancer (for example, a cloud-provider-managed load balancer or MetalLB) may also be used.
- Ingress NGINX DEPRECTED. Ingress NGINX may be used but is currently deprecated. Follow the Ingress NGINX Controller Installation Guide. Enable controller snippets to allow certificate authentication by setting: controller.allowSnippetAnnotations=true in your Helm chart deployment. This setting is disabled by default starting with Ingress NGINX version 1.9.0.
Supported database (for non-ephemeral instances):
- MariaDB
- MySQL
- PostgreSQL
- Oracle Database
- Microsoft SQL Server or Azure SQL
Hardware Security Module (HSM):
- One of the supported HSMs listed on HSM Integration.