To configure Certificate Hub in Kubernetes, edit the config.sh file and configure the following static parameters.
- CAGW_TIMEOUT
- CERT_HUB_HOSTNAME
- CLUSTER_TYPE
- DOCKER_REGISTRY
- DOCKER_REPOSITORY
- IMAGE_PULL_SECRETS_NAME
- INITIAL_USER
- INITIAL_USER_EMAIL
- INITIAL_USER_PASSWORD
- KUBECTL
- LATEST_DISCOVERY_SCANNER_VERSION
- NAMESPACE
- POSTGRES_HOST_API
- POSTGRES_PORT
- POSTGRES_PWD
- POSTGRES_SSL_ROOT_CRT
- POSTGRES_SSLMODE
- POSTGRES_USER
- PROXY_EXCLUDE_DOMAINS
- PROXY_HOST
- PROXY_PORT
After creating the Certificate Hub environment in Kubernetes, you can still modify the proxy settings by editing the configuration maps with kubectl or similar.
CAGW_TIMEOUT
The timeout value for the CA Gateway calls, in seconds.
Mandatory: No. When omitted, this value defaults to 60 seconds.
CERT_HUB_HOSTNAME
The base hostname of the Kubernetes Ingress routing to the application.
Mandatory: Yes.
CLUSTER_TYPE
Make sure this parameter has an empty value.
CLUSTER_TYPE=''You can also simply omit the parameter.
Mandatory: No.
DOCKER_REGISTRY
The registry from which to pull the private Entrust Docker images.
Mandatory: Yes.
DOCKER_REPOSITORY
The name in the Docker registry of the repository for pushing the Certificate Hub images. This name will be prepended as a directory to all the images. It may contain multiple path components. In an OpenShift environment, this equates to a project.
Mandatory: Yes.
IMAGE_PULL_SECRETS_NAME
The name of a preconfigured imagePullSecrets registry credential to use for the Entrust images.
Mandatory: No.
INITIAL_USER
The username of the initial administrator.
Mandatory: Yes.
INITIAL_USER_EMAIL
The email address of the initial administrator.
Mandatory: Yes.
INITIAL_USER_PASSWORD
A temporary password for the initial administrator. Ensure that this temporary password does not include special characters such as '#', '!', or '*'.
After the initial login, the administrator will be prompted to create a new password that meets a specific set of password strength requirements.
Mandatory: Yes.
KUBECTL
The Kubernetes command-line tool. This parameter is handy in environments like OpenShift with a different command name.
Mandatory: No. This optional value defaults to kubectl.
LATEST_DISCOVERY_SCANNER_VERSION
The version identifier communicated to the Discovery Scanner instances. The instances will compare this value with the local version and show a local warning if an upgrade is available.
Mandatory: Yes.
NAMESPACE
The Kubernetes namespace to deploy Certificate Hub under. The application will be available at:
https://<CERT_HUB_HOSTNAME>/<NAMESPACE>Mandatory: Yes.
POSTGRES_HOST_API
The host of an external PostgreSQL database.
Mandatory: No. When omitting this value, Certificate Hub uses an internal database instead.
POSTGRES_PORT
The connection port with an external PostgreSQL database.
Mandatory: When using an external database.
POSTGRES_PWD
The user password of the internal or external database.
Mandatory: Yes.
POSTGRES_SSL_ROOT_CRT
The path of the file that contains the root CA certificate for connecting with an external PostgreSQL database.
Mandatory: When using an external database and POSTGRES_SSLMODE is verify-ca or verify-full.
POSTGRES_SSLMODE
The SSL mode for connecting with an external PostgreSQL database. Supported values are:
- require
- verify-ca
- verify-full
See https://www.postgresql.org/docs/current/libpq-ssl.html for a description of each mode.
Any of the supported PostgreSQL modes requires enabling SSL.
Mandatory: When using an external database.
POSTGRES_USER
The user name of the internal or external database.
Mandatory: Yes.
PROXY_EXCLUDE_DOMAINS
The external hosts you want to access without the proxy, as a comma-separated list of IP addresses or domain names.
This field does not support wildcards.
Mandatory: No. When omitting this value, Certificate Hub does not use a proxy.
PROXY_HOST
The IP or domain name of the proxy server.
Mandatory: No. When omitting this value, Certificate Hub does not use a proxy.
PROXY_PORT
The port number of the proxy server (if any).
Mandatory: No. When omitting this value, Certificate Hub does not use a proxy.