Cockroach db admin UI https configure

I am using cockroach db on kubernetes GKE. I have expose cockroachdb-public to load balancer to acceess admin ui. I can able to access admin UI by load balancer IP. But my browser consider the certificate invalid and accept risk and continue after that I accessed admin UI.

Now I want to ignore this message and configure custom CA certificate using let’s encrypt and configure SSL on that. Is there any way to configure SSL on cockroach db UI ?

What I did.

I have follow the steps from below link and generate my domain certificates But I have no idea where i have to upload that certificate and key to upload in Kubernetes ?

https://www.cockroachlabs.com/docs/stable/create-security-certificates-custom-ca.html#accessing-the-admin-ui-for-a-secure-cluster

HI @shivraj,

Have you checked our Kubernetes tutorial? We recently updated it to include instructions for using a customer CA rather than Kubernetes’ built-in CA. Check the details in this step in particular: https://www.cockroachlabs.com/docs/stable/orchestrate-cockroachdb-with-kubernetes.html#step-2-start-cockroachdb.

This sub-step is already relevant: https://www.cockroachlabs.com/docs/stable/orchestrate-cockroachdb-with-kubernetes.html#non-kubernetes-ca.

Hope this help! Let me know.

Best
Jesse

@jesse Thanks for the quick reply. I am using my Cockroach db Cluster from a year. And that is using kubernetes built-in CA. I don’t want to change that. I need only Cockroach admin UI configure to HTTPS. Is it possible?

I want to remove this message and make the admin UI secure. I have my domain generated SSL cert and key already. I am thinking that where can i upload that to the running kubernetes cluster ?

Hi @shivraj,

I misunderstood the question initially. Sorry about that. I’ll ask around about how to properly get a custom cert for the Admin UI into the Kubernetes cluster. I suspect you need to get the cert into the Kubernetes cluster as a secret, similar what’s mentioned in this app deployment tutorial: https://www.cockroachlabs.com/docs/cockroachcloud/stable/deploy-a-python-to-do-app-with-flask-kubernetes-and-cockroachcloud.html#step-2-create-a-kubernetes-secret.

Best,
Jesse

Hi again @shivraj,

I’ve discussed with CockroachDB devs, and unfortunately, it doesn’t seem easy or even possible to use a custom CA for the admin UI but the Kubernetes built-in CA for everything else. The problem is CockroachDB requires the UI certs and the node certs to be in the same directory. But based on our testing, when you attempt to load the UI certs from a K8s secret into a directory, it prevents the Kubernetes CSR container from writing to that directory. We’ve opened a GitHub issue to find a solution to this.

In the meantime, if you require the admin UI to use a public CA, our recommendation is to change your cluster to use CockroachDB-generated node certificates and public UI certificates. If you can go that route, you’d use the “non-Kubernetes CA” files and instructions here: https://www.cockroachlabs.com/docs/v19.2/orchestrate-cockroachdb-with-kubernetes.html#step-2-start-cockroachdb. And you’d supplement that with certs and secrets for the Admin UI:

  1. Use https://letsencrypt.org/ or another public CA to generate the Admin UI ui.crt and ui.key, as suggested here: https://www.cockroachlabs.com/docs/stable/create-security-certificates-custom-ca.html#accessing-the-admin-ui-for-a-secure-cluster.

  2. Put those files in the local directory containing the other cert files for the cluster, e.g., certs/.

Then proceed to initialize the cluster.

I hope this help. Let us know.

Best
Jesse

@jesse, Thank you for the guidance, I have created a new cluster on Kubernetes with custom CA and it worked fine. And I am able to open cockroach DB UI with my CA https. Now I have some queries on this, Can you please help me out this?

  1. I have registered SSL certificates from https://www.sslforfree.com/ website and it’s 3-month validity, Is there any way to auto-renew option in cockroach DB after 3 months? Or I have to generate it manually every quarterly and upload it to k8s secret?

  2. For new cluster it works, But have already running multiple clusters on k8s cluster and I want to set up that on running cluster. How can I configure / Upload SSL on Running k8s cluster?