This guide provides instructions for adding custom CA and SSL/TLS certificates to LightBeam.
Last updated
To configure the certificate for the ingress endpoint's host/IP address, a valid domain is essential. This domain will be utilized to create a subdomain for the Lightbeam endpoint.
The LightBeam App has been deployed on a K8s cluster and is accessible via its public/private IP address.
An FQDN has been acquired following the addition of a DNS record.
The LightBeam App can be accessed via its FQDN over HTTPS.
Extract certificates from a given PFX file, create relevant secrets and autofill charts/lightbeam/override-values.yaml by running the installer/create_cert_secrets.py script from the LightBeam chart.
If you have a PFX file, enter "yes" when prompted.
Enter the path to the PFX file.
Enter the password to the PFX file.
Once the certificates and key have been extracted, enter the FQDN.
Secrets will be created.
If charts/lightbeam/override-values.yaml exists, values for customCA section will be overriden. Additionally, a backup of the file will be created before overriding. If charts/lightbeam/override-values.yaml does not exists, it will be created.
Create relevant secrets and autofill charts/lightbeam/override-values.yaml by running the installer/create_cert_secrets.py script from the LightBeam chart.
Enter "no" when prompted for PFX file.
Enter the path to CA Bundle (Root CA and intermediate CA certificates), TLS certificate and Private key.
Enter the FQDN.
Secrets will be created.
If charts/lightbeam/override-values.yaml exists, values for customCA section will be overriden. Additionally, a backup of the file will be created before overriding. If charts/lightbeam/override-values.yaml does not exists, it will be created.
If lightbeam-web is deployed against the cluster, you should enter "yes" when prompted for the same. An override-values.yaml file for lightbeam-web will be created at charts/lightbeam-web-portal/override-values.yaml.
/usr/local/bin/lightbeam.sh and add the following changes if they are not present:Upgrade the LightBeam stack with the flag --override_values charts/lightbeam/override-values.yaml. After a successful upgrade, you should be able to access the domain over HTTPS.
Upgrade the LightBeam Web stack with the flag --override_values charts/lightbeam-web-portal/override-values.yaml.
If the above change has to be reverted, edit the lightbeam-common-configmap to change the value of AUTH_BASE_URL to the http endpoint with IP address. In the charts/lightbeam/override-values.yaml file, set customCA.enabled as false and run the upgrade to revert these changes.
Added port forwarding for port 443 in addition to port 80.
Added a health check for the 301 status code in addition to the status code 200.
Ignored HTTPS errors from Puppeteer.
Added a module app/add_custom_certs.py which uses certifi to add the custom CA certificate to the existing CA bundle. This module runs before the FastAPI app is initialized.
Added the LightBeam user to the API Gateway with owner permission to /etc/ssl/certs.
Added a dedicated section in charts/lightbeam/values.yaml for custom CA and certificate configurations.
Added a script installer/create_cert_secrets.py to help create Kubernetes secrets.
Added validation checks in installer/lb-install.sh for the customCA values from charts/lightbeam/values.yaml before the Kubernetes deployment.
Added conditional changes to api-gateway, kong-proxy, ingress, keycloak,serviceability and lightbeam-common configmap to populate secrets and copy certificates based on the customCA.enabled value in the values.yaml file.
LightBeam automates Privacy, Security, and AI Governance, so businesses can accelerate their growth in new markets. Leveraging generative AI, LightBeam has rapidly gained customers’ trust by pioneering a unique privacy-centric and automation-first approach to security. Unlike siloed solutions, LightBeam ties together sensitive data cataloging, control, and compliance across structured and unstructured data applications providing 360-visibility, redaction, self-service DSRs, and automated ROPA reporting ensuring ultimate protection against ransomware and accidental exposures while meeting data privacy obligations efficiently. LightBeam is on a mission to create a secure privacy-first world helping customers automate compliance against a patchwork of existing and emerging regulations.
For any questions or suggestions, please get in touch with us at: .
