Configure HTTPS for LightBeam Endpoint FQDN Standalone deployment

Pre-requisites

To configure the valid certificate for the ingress endpoint's host/IP address, a valid domain is essential. This domain will be utilized to create a subdomain for the Lightbeam endpoint.

Currently, the deployment utilizes cert-manager which in turn uses Let’s Encrypt to generate valid certificates for the provided domain. If users already possess valid certificates, a Kubernetes (k8s) secret must be created and configured for the ingress generated by the Lightbeam cluster.

Lightbeam App has been deployed on an EC2 instance and is accessible via its public IP address.
An FQDN has been acquired following the addition of DNS records in Route53.
Lightbeam App can be accessed via its FQDN over HTTP.

Let's encrypt performs HTTP-01 challenge which can only be done on port 80. Ref https://letsencrypt.org/docs/challenge-types/

Deploy Certificate Manager

Access the Kubernetes cluster.
Add the cert-manager helm repository using the command:

helm repo add lb-cert-manager-stable https://charts.jetstack.io && helm repo update

Install cert-manager using the command:

kubectl create namespace cert-manager

helm install lb-cert-manager lb-cert-manager-stable/cert-manager --namespace cert-manager --version v1.11.0 --set installCRDs=true

Create namaespace if missing

kubectl create namespace cert-manager

Create the cluster issuer. Generate the cluster-issuer.yaml spec as follows:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: lb-letsencrypt-prod
spec:
  acme:
    email: [email protected]  # Change email address
    privateKeySecretRef:
      name: 'lb-letsencrypt-prod'
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - http01:
        ingress:
          class: kong

Apply the spec with:

kubectl apply -f cluster-issuer.yaml

ConfigMap Configuration

Modify the Lightbeam Common ConfigMap named lightbeam-common-configmap using the command below

kubectl edit cm lightbeam-common-configmap

Update the AUTH_BASE_URL field with the appropriate URL in the format https://FQDN

apiVersion: v1
data:
  AUTH_BASE_URL: https://sub-domain.domain-name

Ingress Configuration

Edit the deployed Lightbeam ingress. The ingress name is lightbeam-ingress-auth-svc. Use the command:

kubectl edit ingress lightbeam-ingress-auth-svc --namespace lightbeam

Add the following annotations:
- cert-manager.io/cluster-issuer: lb-letsencrypt-prod
- kubernetes.io/tls-acme: "true"
- konghq.com/protocols: "https"
- konghq.com/https-redirect-status-code: "301"
- acme.cert-manager.io/http01-edit-in-place: "true"
Add the host to the rules:

tls:
  - hosts:
    - sub-domain.domain-name
    secretName: lb-https-secret

Update the spec section:
- Add the tls section:

rules:
  - host: sub-domain.domain-name

The complete Ingress spec will resemble:

apiVersion: networking.k8s.io/v1 
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: lb-letsencrypt-prod
    konghq.com/plugins: oidc,basic-auth
    kubernetes.io/ingress.class: kong
    kubernetes.io/tls-acme: "true"
    meta.helm.sh/release-name: lightbeam
    meta.helm.sh/release-namespace: lightbeam
    konghq.com/protocols: https
    konghq.com/https-redirect-status-code: "301"
    acme.cert-manager.io/http01-edit-in-place: "true"
  labels:
    app: lightbeam-kong-proxy
    app.kubernetes.io/instance: lightbeam
    app.kubernetes.io/name: lightbeam
  name: lightbeam-ingress-auth-svc
  namespace: lightbeam
spec:
  rules:
    host: app.lightbeam-ai.com
    http:
      paths:
        - backend:
            service:
              name: lb-keycloak
              port:
                number: 80
          path: /auth
          pathType: Prefix
        - backend:
            service:
              name: lightbeam-api-gateway
              port:
                number: 8000
          path: /api
          pathType: Prefix
        - backend:
            service:
              name: lightbeam-frontend
              port:
                number: 8080
          path: /
          pathType: Prefix
  tls:
    - hosts:
      - app.lightbeam-ai.com
      secretName: lb-https-secret

Update lightbeam service file if applicable:

Add the port 443 to be port-forwarded in the /usr/local/bin/lightbeam.sh file.

/usr/bin/kubectl port-forward service/kong-proxy -n lightbeam --address 0.0.0.0 80:80 443:443 --kubeconfig /root/.kube/config &

Restart lightbeam service

systemctl stop lightbeam
systemctl start lightbeam

Restart lightbeam api gateway pod

Subsequently, the ingress address must be configured in the DNS settings of the domain's registrar, such as GoDaddy or Route53.

Now, the Lightbeam GUI is accessible at the endpoint: https://sub-domain.domain-name

About LightBeam

LightBeam automates Privacy, Security, and AI Governance, so businesses can accelerate their growth in new markets. Leveraging generative AI, LightBeam has rapidly gained customers’ trust by pioneering a unique privacy-centric and automation-first approach to security. Unlike siloed solutions, LightBeam ties together sensitive data cataloging, control, and compliance across structured and unstructured data applications providing 360-visibility, redaction, self-service DSRs, and automated ROPA reporting ensuring ultimate protection against ransomware and accidental exposures while meeting data privacy obligations efficiently. LightBeam is on a mission to create a secure privacy-first world helping customers automate compliance against a patchwork of existing and emerging regulations.

For any questions or suggestions, please get in touch with us at: [email protected].

PreviousSecuring LightBeam on EKS with AWS Certificate Manager on Elastic Load Balancer NextUsing Custom Certificates with LightBeam

Last updated 1 year ago