To install or update Certificate Hub in Kubernetes, run the following script provided with the deployment scripts.

environmentCreationOrUpdate.sh

You can use this script as-is or modify it to fit your Kubernetes policies. The script will run through the flow below.

  1. Source the parameters described in Configuring the deployment.
  2. Create the Kubernetes YAML files from the corresponding templates by replacing parameters.
  3. Create the environment namespace.
  4. Generate (optionally regenerate) the application secrets.

  5. Deploy PostgreSQL 11 from public Docker. If you have a private PostgreSQL 11 image that you prefer to use, point to a private registry in the following template distributed with the Deployment scripts. 

    /environment/postgres/postgres-deployment.yaml
  6. Wait until the PostgreSQL deployment completes.
  7. Create or update the schema.
  8. Deploy the Java ACM-API application.
  9. Deploy the Ingress definitions.

To deploy a new environment, run the following command.

./environmentCreationOrUpdate.sh --tag <tag> --create --password <password> --postgres-pwd <postgres-pwd> --smtp-pwd <smtp-pwd> --pvc-storage <pvc-storage>

To upgrade a deployment, run the following command.

./environmentCreationOrUpdate.sh --tag <tag>

Intellitrust is now "Entrust Identity as a Service (IDaaS)", and the redirect URL changed after the upgrade 2.0.1. Thus, if you added Intellitrust as an Identity provider in Certificate Hub, you must update the IDaaS to use the new redirect URL.

As detailed in the following sections, the script prompts for the value of some parameters when omitted.

-a, --allow-untrusted-CAGW

Accept self-signed or private CA Gateway server certificates when consuming CA Gateway's HTTPS API.

This option is for testing purposes, not for production mode. Will make the system vulnerable to Man in the Middle attacks if added.

Certificate Hub supports uploading separate trust stores with each CA Gateway and Source Configuration.

--add-namespace

Generate the namespace environment when using the --create option. To set the namespace, you can either:

Omit this option if the namespace already exists.

-c, --create

On first execution, trigger the generation of the secrets and the database schema.

If you omit this option on the first execution, delete the namespace and run again.

-g, --generate-JWT-secret

Trigger the regeneration of the JWT secret for client session authentication. This advanced switch invalidates all existing sessions and is rarely required.

-k, --encryption-key-file <key-file>

Use the key in the <key-file> file to encrypt the sensitive data of the databases. When omitting this option, the Certificate Hub deployment generates a random encryption key.

If you use the embedded database option, the backup and restore operations will include the encryption key. You should only consider generating your key if you use an external database and external services for the backup and restore operations.

The <key-file> file must contain the base-64 encoding of a 32-byte-long key. Save the file without the newline character, for example:

echo -n "This is a custom encryption key." | base64 > encryption.key

You can also generate a securely random encryption key using:

openssl rand -base64 32 > encryption.key

-n, --namespace <namespace>

Set the <namespace> environment namespace when using the --add-namespace option.

--password <password>

Set <password> as the password of the initial administrative user. Some special characters could fail the user creation job without quoting or escaping the password. After the first login, you will be redirected to the Change Password page for replacing this temporary one-time password with a password meeting the password strength requirements.

Default value: Prompted to the user.

--postgres-user <postgres-user>

Authenticate in the Certificate Hub database with the <postgres-user> user.

Default value: postgres

--postgres-pwd <postgres-pwd>

Authenticate in the Certificate Hub database with the <postgres-pwd> password.

Default value: Prompted to the user.

--pvc storage <size>

Allocate <size> for the Kubernetes Persistent Volume claim storage. Where <size> is:

  • A plain integer
  • A fixed-point number using one of these suffixes: E, P, T, G, M, K.
  • The power-of-two equivalents: Ei, Pi, Ti, Gi, Mi, Ki. 

See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers

Default value: 1Gi

-t, --tag <tag>

Use the <tag> tag version of the Entrust Docker containers.

When upgrading, the provided tag must be different from the tag of the current deployment. Kubernetes will detect a difference and deploy the new version.

Default value: latest