.png){kind=logo}
Deploy SignServer in Kubernetes
The following provides an example of deploying SignServer to a Kubernetes cluster, integrating it with an external MariaDB database, and utilizing Ingress to expose HTTPS routes from outside the cluster to the SignServer service.
Prerequisites
Before you begin, you need a functioning Kubernetes cluster with the tools Helm and kubectl installed. For details, see the Prerequisites section.
Step 1 - Prepare database
To create a quick-start test database, follow the instructions Deploy MariaDB in Kubernetes.
Optionally, you can use an existing database. Note that you need to adjust the connection settings used in the following steps accordingly.
Step 2 - Configure Ingress
To configure client certificate authentication and TLS termination at the Ingress level, you need to create two secrets: one secret containing the full Certificate Authority chain, and another with the TLS certificate.
Set up EJBCA or other certificate authority:
Follow Tutorial - Issue TLS server certificates with EJBCA and download PEM.
Prepare secrets
Copy the content starting from -----BEGIN PRIVATE KEY----- till -----END PRIVATE KEY----- to a file named server_tls.key.
awk '/-----BEGIN PRIVATE KEY-----/,/-----END PRIVATE KEY-----/' \
signserver.example.com.pem > server_tls.keyCertificate
The downloaded PEM file contains two certificates: the server TLS certificate, and the issuer CA certificate.
Copy the content of the server TLS certificate (first entry) starting from -----BEGIN CERTIFICATE----- till -----END CERTIFICATE----- to a file named server_tls.pem.
awk '/-----BEGIN CERTIFICATE-----/ {found=1} found && !printed; \
/-----END CERTIFICATE-----/ {printed=1}' \
signserver.example.com.pem > server_tls.pemCreate secrets
Create a secret for the TLS certificate using the server_tls.key and server_tls.pem files:
kubectl create secret generic ingress-nginx-credential-secret-ca \
--from-file=tls.crt=server_tls.pem \
--from-file=tls.key=server_tls.keyCreate a secret containing the full Certificate Authority chain using the previously downloaded Management CA PEM file:
kubectl create secret generic signserver-ingress-trust-secret \
--from-file=ca.crt=ManagementCA.cacert.pemStep 3 - Deploy SignServer
To deploy SignServer, first prepare the deployment parameters by creating a YAML configuration file, and then use the Helm Chart with your values file to install SignServer to a Kubernetes cluster.
Prepare deployment parameters
Create an signserver.yaml configuration file with the following content:
signserver:
useEphemeralH2Database: false
env:
DATABASE_JDBC_URL: "jdbc:mariadb://mariadb:3306/signserver?characterEncoding=utf8"
DATABASE_USER: signserver
envRaw:
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: mariadb-passwords
key: mariadb-password
services:
proxyHttp:
enabled: true
type: ClusterIP
bindIP: 0.0.0.0
httpPort: 8081
httpsPort: 8082
ingress:
enabled: true
className: "nginx"
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional"
nginx.ingress.kubernetes.io/auth-tls-secret: "default/signserver-ingress-trust-secret"
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
hosts:
- host: "signserver.example.com"
paths:
- path: /signserver
pathType: Prefix
tls:
- hosts:
- signserver.example.com
secretName: ingress-nginx-credential-secret-ca
#imagePullSecrets:
# - name: keyfactor-registryParameter details
Parameter | Value | Details |
|---|---|---|
|
| If in-memory internal H2 database should be used |
|
| Database connection string |
|
| Database username |
|
| Database password reference to a key in a Kubernetes secret. |
|
| If service for communicating directly with SignServer container should be enabled |
|
| Flag that enables usage of Ingress |
|
| Ingress class name |
| Ingress annotations | |
|
| Ingress host configuration Tip: When deploying to a local dev cluster, you can use |
|
| Ingress TLS host configurations |
|
secret key value | Ingress TLS reference to a key in a Kubernetes secret. |
|
| Reference to an image pull secret. Uncomment and adjust this parameter if you're using the Keyfactor Container Registry or a private registry. |
For a list of all supported parameters, see SignServer Helm Deployment Parameters.
Install SignServer
Use the Helm Chart with your values file to install SignServer to a Kubernetes cluster.
Enterprise and Community
helm install signserver -f signserver.yaml oci://repo.keyfactor.com/charts/signserver --version 6.3.0Community
Wait for the installation to finish. You can use the following command to monitor the pod creation process:
kubectl get pods -w -l app.kubernetes.io/instance=signserverProceed once all pods are ready (1/1).
NAME READY STATUS RESTARTS AGE
signserver... 0/1 Pending 0 0s
signserver... 0/1 ContainerCreating 0 0s
signserver... 0/1 Running 0 20s
signserver... 1/1 Running 0 40sStep 4 - Finalize installation
Finalize the installation by importing the administrator certificate into your browser and then accessing SignServer using the installed certificate.
Import the administrator certificate
The process of importing a certificate may vary depending on the web browser you are using. The following example outlines how to import a certificate into Mozilla Firefox.
To import the downloaded super administrator P12 keystore:
Open the Firefox application menu and click Settings.
Go to Privacy & Security and in the Security section, click View Certificates.
On the Your Certificates tab, select Import.
Browse to the downloaded P12 file, select the file, and click OK.
Enter the password you specified as the Super Administrator Password in a previous step, and click Sign in.
Click OK to close the Firefox Certificate Manager.
Access SignServer
To access SignServer using the certificate you just installed:
Navigate your browser to
https://<hostname>/signserver/adminweb/.When prompted for the SuperAdmin certificate, select the one you just imported and click OK.
SignServer is now successfully deployed.