# Enable HTTPS from an insecure deployment of cnvrg

Follow the steps below to enable HTTPS in your deployment of cnvrg. There are additional steps required if you environment wasn't deployed with HTTPS enabled originally.


Enabling HTTPS in cnvrg, must involve all connected clusters. Please follow the following steps for each cluster, making sure you also install TLS certificate for each cluster.

# Requirements

  • kubectl utilily and administrative access to the Kubernetes cluster
  • Wildcard TLS certificate for your domain (for each cluster).

# Create secret and patch cnvrgapp and cnvrginfra

Follow the Redeploying TLS certificate instructions. You need to create a TLS secret and enable HTTPS on the cnvrg operator. Then, follow the next steps below.

# Enable HTTPS Scheme for the cluster

Go into the cnvrg GUI. On the left hand side select COMPUTE. Now select RESOURCES. Find the compute resource's (cluster) title and click on the 3 horizontal lines. Select edit resource. Scroll to the bottom of the page, enable option HTTPS Scheme and save your changes.

# Update MinIO to support HTTPS (Optional - skip if not using MinIO for storage)

  1. If using an ingress controller which utilizes the Ingress API, check the MinIO ingress object to confirm if the tls section has been added. If the TLS section is missing, simply delete the ingress object, the operator will recreate the ingress object correctly.


If you are using Istio as your ingress controller this step can be ignored.

Example output:

  ingressClassName: nginx
  - host: minio.cnvrg.me.io
      - backend:
            name: minio
              number: 9000
        path: /
        pathType: Prefix
  - hosts:
    - minio.cnvrg.me.io
    secretName: cnvrg-tls-secret
  1. Exec into the app pod, we will need to update the MinIO endpoint.


A Postgres database backup is always recommenended before making any changes to cnvrg database.

kubectl -n cnvrg exec -it deploy/app -- rails c
  1. Confirm the endpoint is pointing to http not https.

Type "Storage.find(id).credentials" on the rails console. Change "id" to identification-number of the relevant storage (to list all storage objects, you can use the Storage.all command). Then Copy the output and save this output somewhere safe in case it needs to be reverted.

Example output:

 "options"=>{"endpoint"=>"http://minio.cnvrg.me.io", "force_path_style"=>true},
  1. If the endpoint is pointing to http we need to update. Copy the previous output and run the following update command (make sure to change the "id" like we did before).


You should copy the output to a text file so you can update before you copy and paste.


Storage.find(id).update(credentials: {"minio"=>true,
 "options"=>{"endpoint"=>"https://minio.cnvrg.me.io", "force_path_style"=>true},

If the update was successful you should receive the following output: => true

  1. Confirm the update to the endpoint was successful by running "Storage.find(id).credentials" again.

  2. Update the cp-object-storage secret. We need to update the CNVRG_STORAGE_ENDPOINT to include https.


Take the output and update the CNVRG_STORAGE_ENDPOINT environment variable.

kubectl -n cnvrg patch secret cp-object-storage --type='merge' -p '{"stringData": {"CNVRG_STORAGE_ENDPOINT": "https://minio.cnvrg.me.io"}}'
  1. In the cnvrg GUI, go to COMPUTE then STORAGE and confirm cnvrg-storage is Online.


The health check is run every 5 minutes, so if it shows "Offline" confirm the last health check time. You may need to wait a few minutes for the health check to run again.

Last Updated: 12/18/2023, 11:59:59 AM