Assign your own certificate to NAI

When you deploy Nutanix Enterprise AI there will be a default self-signed certificate provided which does the trick for testing but of course this needs to be replaced by a proper TLS certificate when going into production.

Within the client we use the Venafi TLS Trust Protect CyberArk Certificate Manager for generating TLS certificates so that’s the easy part and I won’t explain it over here. After generating my certificates I can download them in different formats. I always choose the PEM (PKCS #8) format (required to work with kubectl), include the root chain, private key, have the Entity first in the chain order and extract the contents into separate files (.crt, .key)

After downloading unzip the files into a folder as we need to remove the password from the key file:

openssl.exe rsa -in <encrypted>.key -out unencrypted.key

Provide the password that the key was encrypted with. After this is done ensure that the key and certificate are correct by checking their md5sum (these should be the same)

openssl rsa -noout -modulus -in uncrypted.key | openssl md5
openssl x509 -noout -modulus -in <server>.crt | openssl md5

As the certificate chain is available on our devices used we don’t need to create a certificate chain so we can go straight ahead to uploading the certificate in the k8s cluster.

Create a secret in the nai-system namespace using your certificate and private key file

kubectl create secret tls nai-letsencrypt-certificate --cert=<server>.crt --key=./unencrypted.key -n nai-system

Confirm that the Envoy Gateway service is defined as a LoadBalancer type and retrieve its IP address or hostname to validate your DNS records.

kubectl get svc -n envoy-gateway-system -l "gateway.envoyproxy.io/owning-gateway-name=nai-ingress-gateway,gateway.envoyproxy.io/owning-gateway-namespace=nai-system"

From another device I check the DNS record to ensure this is pointing to the IP returned.

All okay. Now we can apply the certificate to the nai-ingress-gateway by patching it to reference the secret created earlier

kubectl patch gateway nai-ingress-gateway -n nai-system --type='json' -p='[{"op": "replace", "path": "/spec/listeners/1/tls/certificateRefs/0/name", "value": "nai-letsencrypt-certificate"}]'

The certificate is applied and there is no warning anymore on the certificate.

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *