webrecorder / browsertrix

Browsertrix is the hosted, high-fidelity, browser-based crawling service from Webrecorder designed to make web archiving easier and more accessible for all!
https://webrecorder.net/browsertrix
GNU Affero General Public License v3.0
201 stars 35 forks source link

[Feature]: Use own SSL Certificate for auth-signing #2077

Open gitreich opened 2 months ago

gitreich commented 2 months ago

What change would you like to see?

I would like to use my own SSL Certificate for the btrix deployment and not one of ACME (Lets Encrypt)

copied microk8s-hosted.yaml from charts/examples to charts/onb-config

I changed the following things in the Config:

`ingress:
  # required: set host to use tls
  # uncomment and replace example below with your registered domain
   host: "full.qualified.server.name"

  # required: set email to use tls
  # uncomment and replace example below with your valid email address
   cert_email: "myemail@example.com"

  scheme: "https"
  tls: true
  certFile: "../../certs/my.crt"
  certKey: "../../certs/my.key"

ingress_class: "public"
`
signer:
  enabled: true

  # uncomment and replace example below with your registered domain
  host: "full.qualified.server.name"
  secret: "my-tls"

The Secret was added before microk8s kubectl create secret tls my-tls --namespace default --key=certs/my.key --cert=certs/my.crt -o yaml

Context

Deployment on a remote host

gitreich commented 2 months ago

Solved for Signer: Changed File: charts/values.yaml

# Ingress (Optional)
# Optional: if 'host' is set, a publicly accessible Ingress controller is created with an SSL cert (using letsencrypt)
ingress:
#  host: "full.qualified.server.name"
#  cert_email: "email@example.com"
  tls:
   - hosts:
        - "full.qualified.server.name"
     secretName: "my-tls"
  # Optional: Uncomment to use your own cluster-issuer instead of default ACME https validation
  custom_cluster_issuer: "my-ca-issuer"

Also added cluster issuer like this:

microk8s kubectl apply -n cert-manager -f - <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: my-ca-issuer
spec:
  ca:
    secretName: my-tls
EOF

returned: clusterissuer.cert-manager.io/my-ca-issuer configured

But on Port 80 I still have no valid Certificate

gitreich commented 2 months ago

Now I have a valid Certificate for Ingress for the Frontend. Basically I changed in charts/templates/ingress.yaml 2 lines: I added at annotations of ingress-main: nginx.ingress.kubernetes.io/default-ssl-certificate: my-tls and in the spec section the secretName: secretName: my-tls

But the Auth-Signer is still in the endless dieing loop - Maybe someone can provide a little help for the config of auth-signer?

At least I can crawl and replay now with ssl certificate and in all browsers!