Using Custom Certificates with LightBeam

Pre-requisites

To configure the certificate for the ingress endpoint's host/IP address, a valid domain is essential. This domain will be utilized to create a subdomain for the Lightbeam endpoint.

• The LightBeam App has been deployed on a K8s cluster and is accessible via its public/private IP address.

• An FQDN has been acquired following the addition of a DNS record.

• The LightBeam App can be accessed via its FQDN over HTTPS.

Requirements

1. PFX file with following contents

   1. Private Key (tls.key): The unencrypted private key corresponding to the domain's TLS certificate starting with -----BEGIN PRIVATE KEY-----

   2. Domain/TLS Certificate (tls.crt): The TLS certificate file should contain a single public certificate for your Fully Qualified Domain Name (FQDN) in PEM format, starting with -----BEGIN CERTIFICATE-----

   3. CA Certificate Chain (ca_bundle.crt): The CA bundle should contain one or more CA certificates (typically the intermediate and root CAs) concatenated together in PEM format. The order should be the intermediate certificate first, followed by the root certificate. Example:

      -----BEGIN CERTIFICATE----- MIIDdDCCAlygAwIBAgIJAN... (Intermediate CA Certificate) ... (base64 encoded certificate data) ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDdDCCAlygAwIBAgIJAN... (Root CA Certificate) ... (base64 encoded certificate data) ... -----END CERTIFICATE-----

2. If not PFX file share the three files in format mentioned above.

The PFX file must be a single file that bundles the private key, the primary TLS certificate for the domain, and all necessary CA certificates (intermediate and root). LightBeam certificate import script is designed to parse this specific structure to create the required Kubernetes secrets for custom certificate configuration. Failure to provide a PFX file with all three components will result in an error during script execution, as the script checks that each extracted file is not empty.

Procedure

1. If you have a PFX file, follow the steps listed below:

1. Extract certificates from a given PFX file, create relevant secrets and autofill charts/lightbeam/override-values.yaml by running the installer/create_cert_secrets.py script from the LightBeam chart.

   1. If you have a PFX file, enter "yes" when prompted.

   2. Enter the path to the PFX file.

   3. Enter the password to the PFX file.

   4. Once the certificates and key have been extracted, enter the FQDN.

   5. Secrets will be created.

   6. If charts/lightbeam/override-values.yaml exists, values for customCA section will be overriden. Additionally, a backup of the file will be created before overriding. If charts/lightbeam/override-values.yaml does not exists, it will be created.

   

2. If you have Root CA, Intermediate CA, TLS Certificates and Private key, follow the steps listed below:

1. Create relevant secrets and autofill charts/lightbeam/override-values.yaml by running the installer/create_cert_secrets.py script from the LightBeam chart.

   1. Enter "no" when prompted for PFX file.

   2. Enter the path to CA Bundle (Root CA and intermediate CA certificates), TLS certificate and Private key.

   3. Enter the FQDN.

   4. Secrets will be created.

   5. If charts/lightbeam/override-values.yaml exists, values for customCA section will be overriden. Additionally, a backup of the file will be created before overriding. If charts/lightbeam/override-values.yaml does not exists, it will be created.

   6. If lightbeam-web is deployed against the cluster, you should enter "yes" when prompted for the same. An override-values.yaml file for lightbeam-web will be created at charts/lightbeam-web-portal/override-values.yaml.

3. Edit the LightBeam service file /usr/local/bin/lightbeam.sh and add the following by updating the fqdn details in line starting with status_code

#!/usr/bin/env bash

trap 'kill $(jobs -p)' EXIT
/usr/bin/kubectl port-forward service/kong-proxy -n lightbeam --address 0.0.0.0 80:80 443:443 --kubeconfig /root/.kube/config &
PID=$!

/bin/systemd-notify --ready

while(true); do
    FAIL=0
    kill -0 $PID
    if [[ $? -ne 0 ]]; then FAIL=1; fi
    status_code=`curl -s -o /dev/null -w "%{http_code}" http://localhost/api/health -H "Host: <domian-fqdn.com>"`
    echo "Lightbeam cluster health check: $status_code"
    if [[ $? -ne 0 || $status_code -ne 200 && $status_code -ne 301 ]]; then FAIL=1; fi
    if [[ $FAIL -eq 0 ]]; then /bin/systemd-notify WATCHDOG=1; fi
    sleep 1
done

4. Restart the LightBeam service:

systemctl restart lightbeam

5. Upgrade LightBeam Stack

Upgrade the LightBeam stack with the flag --override_values charts/lightbeam/override-values.yaml. After a successful upgrade, you should be able to access the domain over HTTPS.

6. Upgrade the LightBeam Web Stack

Upgrade the LightBeam Web stack with the flag --override_values charts/lightbeam-web-portal/override-values.yaml.

Cleanup Procedure

If the above change has to be reverted, edit the lightbeam-common-configmap to change the value of AUTH_BASE_URL to the http endpoint with IP address. In the charts/lightbeam/override-values.yaml file, set customCA.enabled as false and run the upgrade to revert these changes.

Overview of Changes

LightBeam Installer Changes

• Added port forwarding for port 443 in addition to port 80.

• Added a health check for the 301 status code in addition to the status code 200.

LightBeam Web Changes

• Ignored HTTPS errors from Puppeteer.

API Gateway Changes

• Added a module app/add_custom_certs.py which uses certifi to add the custom CA certificate to the existing CA bundle. This module runs before the FastAPI app is initialized.

• Added the LightBeam user to the API Gateway with owner permission to /etc/ssl/certs.

LightBeam Chart Changes

• Added a dedicated section in charts/lightbeam/values.yaml for custom CA and certificate configurations.

customCA:
  # Set this to true if you are using a custom CA and SSL certificates 
  enabled: false
  # Specify the name of the Kubernetes secret containing the CA certificate   
  caSecretName: ""
  # Specify the key of the Kubernetes secret containing the CA certificate 
  caSecretKey: ""
  # Specify the name of the Kubernetes TLS secret containing the SSL certificate   and private key
  sslSecretName: ""
  # Specify the key of the Kubernetes TLS secret containing the SSL certificate 
  sslSecretCertKey: "tls.crt"
  # Specify the key of the Kubernetes TLS secret containing the private key 
  sslSecretPrivateKey: "tls.key"
  # Specify the FQDN without https. For ex: example.test.com
  customFQDN: ""

• Added a script installer/create_cert_secrets.py to help create Kubernetes secrets.

• Added validation checks in installer/lb-install.sh for the customCA values from charts/lightbeam/values.yaml before the Kubernetes deployment.

• Added conditional changes to api-gateway, kong-proxy, ingress, keycloak,serviceability and lightbeam-common configmap to populate secrets and copy certificates based on the customCA.enabled value in the values.yaml file.

About LightBeam

LightBeam automates Privacy, Security, and AI Governance, so businesses can accelerate their growth in new markets. Leveraging generative AI, LightBeam has rapidly gained customers’ trust by pioneering a unique privacy-centric and automation-first approach to security. Unlike siloed solutions, LightBeam ties together sensitive data cataloging, control, and compliance across structured and unstructured data applications providing 360-visibility, redaction, self-service DSRs, and automated ROPA reporting ensuring ultimate protection against ransomware and accidental exposures while meeting data privacy obligations efficiently. LightBeam is on a mission to create a secure privacy-first world helping customers automate compliance against a patchwork of existing and emerging regulations.

For any questions or suggestions, please get in touch with us at: [email protected].