Using Custom Certificates with LightBeam

Pre-requisites

To configure the certificate for the ingress endpoint's host/IP address, a valid domain is essential. This domain will be utilized to create a subdomain for the Lightbeam endpoint.

• The LightBeam App has been deployed on a K8s cluster and is accessible via its public/private IP address.

• An FQDN has been acquired following the addition of a DNS record.

• The LightBeam App can be accessed via its FQDN over HTTPS.

Procedure

1. If you have a PFX file, follow the steps listed below:

1. Extract certificates from a given PFX file, create relevant secrets and autofill charts/lightbeam/override-values.yaml by running the installer/create_cert_secrets.py script from the LightBeam chart.

   1. If you have a PFX file, enter "yes" when prompted.

   2. Enter the path to the PFX file.

   3. Enter the password to the PFX file.

   4. Once the certificates and key have been extracted, enter the FQDN.

   5. Secrets will be created.

   6. If charts/lightbeam/override-values.yaml exists, values for customCA section will be overriden. Additionally, a backup of the file will be created before overriding. If charts/lightbeam/override-values.yaml does not exists, it will be created.

   

2. If you have Root CA, Intermediate CA, TLS Certificates and Private key, follow the steps listed below:

1. Create relevant secrets and autofill charts/lightbeam/override-values.yaml by running the installer/create_cert_secrets.py script from the LightBeam chart.

   1. Enter "no" when prompted for PFX file.

   2. Enter the path to CA Bundle (Root CA and intermediate CA certificates), TLS certificate and Private key.

   3. Enter the FQDN.

   4. Secrets will be created.

   5. If charts/lightbeam/override-values.yaml exists, values for customCA section will be overriden. Additionally, a backup of the file will be created before overriding. If charts/lightbeam/override-values.yaml does not exists, it will be created.

   6. If lightbeam-web is deployed against the cluster, you should enter "yes" when prompted for the same. An override-values.yaml file for lightbeam-web will be created at charts/lightbeam-web-portal/override-values.yaml.

3. Edit the LightBeam service file /usr/local/bin/lightbeam.sh and add the following changes if they are not present:

# Modify the following lines
# Add port 443 to port forward
/usr/bin/kubectl port-forward service/kong-proxy -n lightbeam --address 0.0.0.0 443:443 80:80 --kubeconfig /root/.kube/config &
#Change status code from 200 to 301
if [[ $? -ne 0 || $status_code -ne 301 ]]; then FAIL=1; fi

4. Restart the LightBeam service:

systemctl restart lightbeam

5. Upgrade LightBeam Stack

Upgrade the LightBeam stack with the flag --override_values charts/lightbeam/override-values.yaml. After a successful upgrade, you should be able to access the domain over HTTPS.

6. Upgrade the LightBeam Web Stack

Upgrade the LightBeam Web stack with the flag --override_values charts/lightbeam-web-portal/override-values.yaml.

Cleanup Procedure

If the above change has to be reverted, edit the lightbeam-common-configmap to change the value of AUTH_BASE_URL to the http endpoint with IP address. In the charts/lightbeam/override-values.yaml file, set customCA.enabled as false and run the upgrade to revert these changes.

Overview of Changes

LightBeam Installer Changes

• Added port forwarding for port 443 in addition to port 80.

• Added a health check for the 301 status code in addition to the status code 200.

LightBeam Web Changes

• Ignored HTTPS errors from Puppeteer.

API Gateway Changes

• Added a module app/add_custom_certs.py which uses certifi to add the custom CA certificate to the existing CA bundle. This module runs before the FastAPI app is initialized.

• Added the LightBeam user to the API Gateway with owner permission to /etc/ssl/certs.

LightBeam Chart Changes

• Added a dedicated section in charts/lightbeam/values.yaml for custom CA and certificate configurations.

customCA:
  # Set this to true if you are using a custom CA and SSL certificates 
  enabled: false
  # Specify the name of the Kubernetes secret containing the CA certificate   
  caSecretName: ""
  # Specify the key of the Kubernetes secret containing the CA certificate 
  caSecretKey: ""
  # Specify the name of the Kubernetes TLS secret containing the SSL certificate   and private key
  sslSecretName: ""
  # Specify the key of the Kubernetes TLS secret containing the SSL certificate 
  sslSecretCertKey: "tls.crt"
  # Specify the key of the Kubernetes TLS secret containing the private key 
  sslSecretPrivateKey: "tls.key"
  # Specify the FQDN without https. For ex: example.test.com
  customFQDN: ""

• Added a script installer/create_cert_secrets.py to help create Kubernetes secrets.

• Added validation checks in installer/lb-install.sh for the customCA values from charts/lightbeam/values.yaml before the Kubernetes deployment.

• Added conditional changes to api-gateway, kong-proxy, ingress, keycloak,serviceability and lightbeam-common configmap to populate secrets and copy certificates based on the customCA.enabled value in the values.yaml file.

About LightBeam

LightBeam automates Privacy, Security, and AI Governance, so businesses can accelerate their growth in new markets. Leveraging generative AI, LightBeam has rapidly gained customers’ trust by pioneering a unique privacy-centric and automation-first approach to security. Unlike siloed solutions, LightBeam ties together sensitive data cataloging, control, and compliance across structured and unstructured data applications providing 360-visibility, redaction, self-service DSRs, and automated ROPA reporting ensuring ultimate protection against ransomware and accidental exposures while meeting data privacy obligations efficiently. LightBeam is on a mission to create a secure privacy-first world helping customers automate compliance against a patchwork of existing and emerging regulations.

For any questions or suggestions, please get in touch with us at: [email protected].