Install a Custom Signed Certificate
When you first log in to the NetQ UI as part of an on-premises deployment, your browser will display a warning indicating that the default certificate is not trusted. You can avoid this warning by installing your own, custom-signed certificate using the steps outlined on this page. The self-signed certificate is sufficient for non-production environments or cloud deployments.
If you already have a certificate installed and want to change or update it, run the kubectl delete secret netq-gui-ingress-tls [name] --namespace default
command before following the steps outlined in this section. After making your updates, restart nginx with the kubectl delete pod -l app.kubernetes.io/name=ingress-nginx --namespace ingress-nginx
command.
You need the following items to perform the certificate installation:
A valid X509 certificate, containing a Subject Alternative Name (SAN) attribute.
A private key file for the certificate.
A DNS record name configured to access the NetQ UI.
The FQDN should match the common name of the certificate. If you use a wild card in the common name — for example, if the common name of the certificate is *.example.com — then the NetQ telemetry server should reside on a subdomain of that domain, accessible via a URL like netq.example.com.
A functioning and healthy NetQ instance.
You can verify this by running the
netq show opta-health
command.
Install a Certificate using the NetQ CLI
Log in to the NetQ VM via SSH and copy your certificate and key file there.
Generate a Kubernetes secret called
netq-gui-ingress-tls
:cumulus@netq-ts:~$ kubectl create secret tls netq-gui-ingress-tls \ --namespace default \ --key <name of your key file>.key \ --cert <name of your cert file>.crt
Verify that you created the secret successfully:
cumulus@netq-ts:~$ kubectl get secret NAME TYPE DATA AGE netq-gui-ingress-tls kubernetes.io/tls 2 5s
Update the ingress rule file to install self-signed certificates.
Create a new file called
ingress.yaml
Copy and add the following content to the file:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" nginx.ingress.kubernetes.io/proxy-connect-timeout: "3600" nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" nginx.ingress.kubernetes.io/proxy-body-size: 10g nginx.ingress.kubernetes.io/proxy-request-buffering: "off" name: netq-gui-ingress-external namespace: default spec: ingressClassName: ingress-nginx-class rules: - host: <your-hostname> http: paths: - path: / pathType: Prefix backend: service: name: netq-gui port: number: 80 path: / pathType: Prefix tls: - hosts: - <your-hostname> secretName: netq-gui-ingress-tls
- Replace
<your-hostname>
with the FQDN of the NetQ VM.
Apply the new rule:
cumulus@netq-ts:~$ kubectl apply -f ingress.yaml ingress.extensions/netq-gui-ingress-external configured
The message above appears if your ingress rule is successfully configured.
Configure the NetQ API to use the new certificate by updating the Swagger ingress rule file.
Create a new file called
swagger-ingress.yaml
Copy and add the following content to the file:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/proxy-connect-timeout: "300" nginx.ingress.kubernetes.io/proxy-read-timeout: "300" nginx.ingress.kubernetes.io/proxy-send-timeout: "300" nginx.ingress.kubernetes.io/proxy-body-size: 10g nginx.ingress.kubernetes.io/proxy-request-buffering: "off" name: netq-swagger-ingress-external namespace: default spec: ingressClassName: ingress-nginx-class rules: - host: <your-hostname> http: paths: - path: "/swagger" pathType: Prefix backend: service: name: swagger-ui port: number: 8080 tls: - hosts: - <your-hostname> secretName: netq-gui-ingress-tls
- Replace
<your-hostname>
with the FQDN of the NetQ VM.
Apply the new rule:
cumulus@netq-ts:~$ kubectl apply -f swagger-ingress.yaml
Your custom certificate should now be working. Verify this by opening the NetQ UI at https://<your-hostname-or-ipaddr>
in your browser.