Configure custom certificate authorities for Tanzu Developer Portal

This topic tells you how to configure your Tanzu Developer Portal to trust unusual certificate authorities (CA) when making outbound connections.

Tanzu Developer Portal might require custom certificates when connecting to persistent databases or custom catalog locations that require SSL. You use overlays with PackageInstalls to make this possible. There are two ways to implement this workaround: you can add a custom CA or you can deactivate all SSL verification.

Add a custom CA

The overlay previously available in this section is no longer necessary. As of Tanzu Application Platform v1.3, the value ca_cert_data is supported at the top level of its values file. Any number of newline-delimited CA certificates in PEM format are accepted.

For example:

# tap-gui-values.yaml
ca_cert_data: |
  -----BEGIN CERTIFICATE-----
  cert data here
  -----END CERTIFICATE-----

  -----BEGIN CERTIFICATE-----
  other cert data here
  -----END CERTIFICATE-----
app_config:
  # ...

Tanzu Developer Portal also inherits shared.ca_cert_data from your tap-values.yaml file. shared.ca_cert_data is newline-concatenated with ca_certs given directly to Tanzu Developer Portal.

shared:
  ca_cert_data: |
    -----BEGIN CERTIFICATE-----
    cert data here
    -----END CERTIFICATE-----

tap_gui:
  ca_cert_data: |
    -----BEGIN CERTIFICATE-----
    other cert data here
    -----END CERTIFICATE-----
  app_config:
    # ...

To verify that Tanzu Developer Portal has processed the custom CA certificates, check that the ca-certs-data volume with mount path /etc/custom-ca-certs-data is mounted in the Tanzu Developer Portal server pod.

Deactivate all SSL verification

To deactivate SSL verification to allow for self-signed certificates, set the Tanzu Developer Portal pod’s environment variable as NODE_TLS_REJECT_UNAUTHORIZED=0. When the value equals 0, certificate validation is deactivated for TLS connections.

To do this, use the package_overlays key in the Tanzu Application Platform values file. For instructions, see Customize Package Installation.

The following YAML is an example Secret containing an overlay to deactivate TLS:

apiVersion: v1
kind: Secret
metadata:
  name: deactivate-tls-overlay
  namespace: tap-install
stringData:
  deactivate-tls-overlay.yml: |
    #@ load("@ytt:overlay", "overlay")
    #@overlay/match by=overlay.subset({"kind":"Deployment", "metadata": {"name": "server", "namespace": "NAMESPACE"}}),expects="1+"
    ---
    spec:
      template:
        spec:
          containers:
            #@overlay/match by=overlay.all,expects="1+"
            #@overlay/match-child-defaults missing_ok=True
            - env:
              - name: NODE_TLS_REJECT_UNAUTHORIZED
                value: "0"

Where NAMESPACE is the namespace in which your Tanzu Developer Portal instance is deployed. For example, tap-gui.

Next steps

Configure Application Accelerator