Is it possible to configure TLS certs for contour in the embedded installation? I can see how to set them up for the kots admin itself, but not for contour.
There is a secret deployed alongside your application named kotsadm-tls. This certificate comes from a file uploaded on the customer’s config screen. The secret can be used to configure contour TLS.
This secret is only available for embedded installations and is deployed in the same namespace as your application and kotsadm and therefore cannot be used in custom namespaces.
Contour uses Envoy’s SNI feature to provide TLS support. This requires that your certificate be associated with a valid host domain name (not an IP address) and the hostname appears in the ingress’s spec.tls.hosts and spec.rules.host fields as shown below. In the following example we collect the hostname from the application config.
See below for an example:
ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: backend
spec:
tls:
- secretName: kotsadm-tls
hosts:
- repl{{ ConfigOption "hostname"}}
backend:
serviceName: frontend
servicePort: 80
rules:
- host: repl{{ ConfigOption "hostname"}}
http:
paths:
- path: /
backend:
serviceName: nginx
servicePort: 80
config.yaml
apiVersion: kots.io/v1beta1
kind: Config
metadata:
name: contour-example
spec:
groups:
- name: general
title: General
items:
- name: hostname
title: Hostname
type: text
required: true