Add custom SSL certificate to Pliant

Pliant by default uses HTTPS with a self signed certificate. This will cause a security warning in the browser that users have to click past to get to Pliant. If they replace that certificate with a certificate that has been signed by a trusted Certificate Authority (CA), then the warnings no longer appear.

Pliant recommends using the full certificate chain in your certificate file if possible.

Instructions

We assume here that the user has already generated the private key and gotten the signed certificate from a trusted CA. If this is not the case, an example of how to proceed is here: SSL Store Example

If your key and cert are in a pfx file, you will need to convert that file into two files:
cert.pem (containing the SSL cert or full cert chain)
key.pem (containing only the private key)

  1. Upload the certificate and private key files to the Pliant host or Kubernetes management station

  2. SSH to the Pliant host or Kubernetes management station

  3. Rename the certificate file to “cert.pem” and the key file to “key.pem”, then place them into a directory called “cert”. You can use the following commands:

3a. Add the current paths/names of the certificate and key files here

certfile=
keyfile=

3b. Create a directory to temporarily hold the cert/key pair

mkdir cert

3c. Move the certificate and key into that folder with new names

mv $certfile cert/cert.pem
mv $keyfile cert/key.pem

If you are replacing a previous custom SSL cert, you must delete it first using this command:

kubectl delete secret pliant-ssl-cert

4. Create a Kubernetes secret object from that directory

 kubectl create secret generic pliant-ssl-cert --from-file=cert/

5. Patch the pliant-proxy deployment so that it will use the new secret. Paste in all of the following text as a single command:

kubectl patch deployment/pliant-proxy --patch "$(echo -e "spec:
  template:
    spec:
      containers:
$(kubectl get deployment pliant-proxy -o yaml |grep -e '- image')
        name: pliant-proxy
        volumeMounts:
        - mountPath: /etc/nginx/cert
          name: cert
      volumes:
      - name: cert
        secret:
          defaultMode: 384
          secretName: pliant-ssl-cert")"

The pliant-proxy will then restart automatically. Any subsequent sessions to the Pliant web interface or remote API connections will use the new certificate.

If the new SSL cert is still not appearing, use this command to restart the pliant-proxy:

kubectl rollout restart deployment pliant-proxy