Configure HTTPS for LightBeam Endpoint FQDN Standalone deployment

Pre-requisites

To configure the valid certificate for the ingress endpoint's host/IP address, a valid domain is essential. This domain will be utilized to create a subdomain for the Lightbeam endpoint.

Currently, the deployment utilizes cert-manager which in turn uses Let’s Encrypt to generate valid certificates for the provided domain. If users already possess valid certificates, a Kubernetes (k8s) secret must be created and configured for the ingress generated by the Lightbeam cluster.

• Lightbeam App has been deployed on an EC2 instance and is accessible via its public IP address.

• An FQDN has been acquired following the addition of DNS records in Route53.

• Lightbeam App can be accessed via its FQDN over HTTP.

Let's encrypt performs HTTP-01 challenge which can only be done on port 80. Ref https://letsencrypt.org/docs/challenge-types/

Deploy Certificate Manager

1. Access the Kubernetes cluster.

2. Add the cert-manager helm repository using the command:

helm repo add lb-cert-manager-stable https://charts.jetstack.io && helm repo update

1. Install cert-manager using the command:

kubectl create namespace cert-manager

helm install lb-cert-manager lb-cert-manager-stable/cert-manager --namespace cert-manager --version v1.11.0 --set installCRDs=true

1. Create the cluster issuer. Generate the cluster-issuer.yaml spec as follows:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: lb-letsencrypt-prod
spec:
  acme:
    email: [email protected]  # Change email address
    privateKeySecretRef:
      name: 'lb-letsencrypt-prod'
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - http01:
        ingress:
          class: kong

1. Apply the spec with:

ConfigMap Configuration

• Modify the Lightbeam Common ConfigMap named lightbeam-common-configmap using the command below

• Update the AUTH_BASE_URL field with the appropriate URL in the format https://FQDN

• Modify the ConfigMap named lb-keycloak-config using the command below

• Update the AUTH_BASE_URL field with the appropriate URL in the format https://FQDN

Ingress Configuration

Lightbeam Chart

1. Edit the override-values.yaml.

1. Run an upgrade.

Manual Steps

1. Edit the deployed Lightbeam ingress. The ingress name is lightbeam-ingress-auth-svc. Use the command:

1. Add the following annotations:

   • cert-manager.io/cluster-issuer: lb-letsencrypt-prod

   • kubernetes.io/tls-acme: "true"

   • konghq.com/protocols: "https"

   • konghq.com/https-redirect-status-code: "301"

   • acme.cert-manager.io/http01-edit-in-place: "true"

2. Add the host to the rules:

1. Update the spec section:

   • Add the tls section:

1. The complete Ingress spec will resemble:

1. Restart lightbeam api gateway pod, keycloak pod, ingress-kong pod and frontend pod.

Subsequently, the ingress address must be configured in the DNS settings of the domain's registrar, such as GoDaddy or Route53.

Now, the Lightbeam GUI is accessible at the endpoint: https://sub-domain.domain-name

About LightBeam

LightBeam automates Privacy, Security, and AI Governance, so businesses can accelerate their growth in new markets. Leveraging generative AI, LightBeam has rapidly gained customers’ trust by pioneering a unique privacy-centric and automation-first approach to security. Unlike siloed solutions, LightBeam ties together sensitive data cataloging, control, and compliance across structured and unstructured data applications providing 360-visibility, redaction, self-service DSRs, and automated ROPA reporting ensuring ultimate protection against ransomware and accidental exposures while meeting data privacy obligations efficiently. LightBeam is on a mission to create a secure privacy-first world helping customers automate compliance against a patchwork of existing and emerging regulations.

For any questions or suggestions, please get in touch with us at: [email protected].