# Enable HTTPS from an insecure deployment of cnvrg
Follow the steps below to enable HTTPS in your deployment of cnvrg. There are additional steps required if you environment wasn't deployed with HTTPS enabled originally.
Note
Enabling HTTPS in cnvrg, must involve all connected clusters. Please follow the following steps for each cluster, making sure you also install TLS certificate for each cluster.
# Requirements
- kubectl utilily and administrative access to the Kubernetes cluster
- Wildcard TLS certificate for your domain (for each cluster).
# Create secret and patch cnvrgapp and cnvrginfra
Follow the Redeploying TLS certificate instructions. You need to create a TLS secret and enable HTTPS on the cnvrg operator. Then, follow the next steps below.
# Enable HTTPS Scheme for the cluster
Go into the cnvrg GUI. On the left hand side select COMPUTE. Now select RESOURCES. Find the compute resource's (cluster) title and click on the 3 horizontal lines.
Select edit resource. Scroll to the bottom of the page, enable option HTTPS Scheme and save your changes.
# Update MinIO to support HTTPS (Optional - skip if not using MinIO for storage)
- If using an ingress controller which utilizes the
IngressAPI, check the MinIO ingress object to confirm if thetlssection has been added. If the TLS section is missing, simply delete the ingress object, the operator will recreate the ingress object correctly.
NOTE
If you are using Istio as your ingress controller this step can be ignored.
Example output:
spec:
ingressClassName: nginx
rules:
- host: minio.cnvrg.me.io
http:
paths:
- backend:
service:
name: minio
port:
number: 9000
path: /
pathType: Prefix
tls:
- hosts:
- minio.cnvrg.me.io
secretName: cnvrg-tls-secret
- Exec into the app pod, we will need to update the MinIO endpoint.
Note
A Postgres database backup is always recommenended before making any changes to cnvrg database.
kubectl -n cnvrg exec -it deploy/app -- rails c
- Confirm the endpoint is pointing to
httpnothttps.
Type "Storage.find(id).credentials" on the rails console. Change "id" to identification-number of the relevant storage (to list all storage objects, you can use the Storage.all command).
Then Copy the output and save this output somewhere safe in case it needs to be reverted.
Example output:
{"minio"=>true,
"region"=>"eastus",
"options"=>{"endpoint"=>"http://minio.cnvrg.me.io", "force_path_style"=>true},
"hostname"=>"minio.cnvrg.me.io",
"encryption"=>nil,
"access_key_id"=>"XXXXXXXXXXXXXXXXXXXXXX",
"secret_access_key"=>"XXXXXXXXXXXXXXXXXXX"}
- If the endpoint is pointing to
httpwe need to update. Copy the previous output and run the following update command (make sure to change the "id" like we did before).
TIP
You should copy the output to a text file so you can update before you copy and paste.
Example
Storage.find(id).update(credentials: {"minio"=>true,
"region"=>"eastus",
"options"=>{"endpoint"=>"https://minio.cnvrg.me.io", "force_path_style"=>true},
"hostname"=>"minio.cnvrg.me.io",
"encryption"=>nil,
"access_key_id"=>"XXXXXXXXXXXXXXXXXXXXXXX",
"secret_access_key"=>"XXXXXXXXXXXXXXXXXXXXXXXXXX"})
If the update was successful you should receive the following output:
=> true
Confirm the update to the endpoint was successful by running "Storage.find(id).credentials" again.
Update the
cp-object-storagesecret. We need to update theCNVRG_STORAGE_ENDPOINTto includehttps.
Example:
Take the output and update the CNVRG_STORAGE_ENDPOINT environment variable.
kubectl -n cnvrg patch secret cp-object-storage --type='merge' -p '{"stringData": {"CNVRG_STORAGE_ENDPOINT": "https://minio.cnvrg.me.io"}}'
- In the cnvrg GUI, go to
COMPUTEthenSTORAGEand confirm cnvrg-storage isOnline.
Note
The health check is run every 5 minutes, so if it shows "Offline" confirm the last health check time. You may need to wait a few minutes for the health check to run again.