Table of contents

Replace the service certificate

The default Deep Security Smart Check install creates a self-signed TLS certificate for example.com. This certificate is re-generated every time you upgrade Deep Security Smart Check or perform an update using helm upgrade, so users may get into the habit of accepting insecure communications and may get annoyed with having to click through certificate warnings.

To improve security and usability for your users, replace this certificate with your own certificate with the correct host and address information, issued by a trusted certificate authority.

You will also need to replace the default certificate if you want to enable pre-registry scanning.

  1. Obtain a certificate from a trusted certificate authority. There will be two associated files: a certificate and a private key. If the certificate authority also provides a file with intermediate certificates, create a composite file that combines the certificates into a chain:

    cat certificate.pem intermediates.pem > chain.pem
  2. Create a Kubernetes TLS secret with your certificate and key:

    kubectl create secret tls dssc-proxy-certificate \
      --namespace default \
      --cert=path/to/chain.pem \
      --key=path/to/key.pem

    The secret must exist in the same namespace as the service. If you have installed Deep Security Smart Check in a namespace other than default, modify the command to use the correct namespace.

  3. Include the name of the certificate secret in your overrides.yaml file:

    certificate:
      secret:
        name: dssc-proxy-certificate
  4. Update the service:

    helm upgrade \
      --values overrides.yaml \
      deepsecurity-smartcheck \
      https://github.com/deep-security/smartcheck-helm/archive/master.tar.gz

    If you are using a specific version of Deep Security Smart Check, use the version number in the command. For example, to use version 1.2.0, the command would be:

    helm upgrade \
      --values overrides.yaml \
      deepsecurity-smartcheck \
      https://github.com/deep-security/smartcheck-helm/archive/1.2.0.tar.gz
  5. Restart the proxy pod:

    kubectl delete pods \
      --namespace default \
      -l "service=proxy,release=deepsecurity-smartcheck"

    Kubernetes will automatically restart the proxy pod.

Once the proxy pod has restarted, you should see that the service is using the new certificate.

Revert to the auto-generated certificate

If you need to undo the procedure described above, you can revert to the auto-generated certificate:

  1. Delete the certificate secret name override from your overrides.yaml file.

  2. Update the service:

    helm upgrade \
      --values overrides.yaml \
      deepsecurity-smartcheck \
      https://github.com/deep-security/smartcheck-helm/archive/master.tar.gz
  3. Restart the proxy pod:

    kubectl delete pods \
      --namespace default \
      -l "service-proxy,release=deepsecurity-smartcheck"

    Kubernetes will automatically restart the proxy pod.

Once the proxy pod has restarted, you should see that the service is using an auto-generated certificate.

How to use Amazon Certificate Manager / AWS Identity and Access Management certificates with Deep Security Smart Check

If you are running Deep Security Smart Check in Amazon EKS and are using a load balancer (the default), you can use a certificate from Amazon Certificate Manager or AWS Identity and Access Management.

Add the following to your overrides.yaml file:

service:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:[region]:[account-id]:certificate/[certificate-id]
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443,5000"

where the value is the ARN of the certificate you want to use and run helm upgrade to apply the new overrides.

If you have a certificate that you want to import into AWS, see SSL/TLS Certificates for Classic Load Balancers for instructions and limitations.

These annotations are defined by the AWS load-balancer controller in Kubernetes. See the Kubernetes documentation for full details on these annotations and other options that exist, including how to specify the security group assigned to the load balancer that Kubernetes creates.