domino logo
About DominoArchitecture
Kubernetes
Cluster RequirementsDomino on EKSDomino Kubernetes Version CompatibilityDomino on GKEDomino on AKSDomino on OpenShiftNVIDIA DGX in DominoDomino in Multi-Tenant Kubernetes ClusterEncryption in Transit
Installation
Installation ProcessConfiguration ReferenceInstaller Configuration ExamplesPrivate or Offline InstallationCustom Certificatesfleetcommand-agent release notes
Azure Deployments
Prepare for InstallationDeploy DominoProvision Infrastructure and Runtime Environment
Google Cloud Deployments
Prepare for InstallationProvision Infrastructure and Runtime EnvironmentDeploy Domino
Configuration
Central ConfigurationNotificationsFeature FlagsChange The Default Project For New UsersProject Stage ConfigurationDomino Integration With Atlassian Jira
Compute
Manage Domino Compute ResourcesHardware Tier Best PracticesModel Resource QuotasPersistent Volume ManagementAdding a Node Pool to your Domino ClusterRemove a Node from Service
Keycloak Authentication Service
Operations
Domino Application LoggingDomino MonitoringSizing Infrastructure for Domino
Data Management
Data in DominoData Flow In DominoExternal Data VolumesDatasets AdministrationSubmit GDPR Requests
User Management
RolesManage UsersLicense Usage Reporting
Environments
Environment Management Best PracticesCache Environment Images in EKSImages From Authenticated External Registries
Backup and Restore
Backup StructureBackup LocationCustomize BackupsRun a Manual, On-Demand BackupRestore backups
Control Center
Control Center OverviewExport Control Center Data with The API
Troubleshooting
domino logo
About Domino
Domino Data LabKnowledge BaseData Science BlogTraining
Admin Guide
>
Installation
>
Custom Certificates

Custom Certificates

You can configure Domino to connect to services that use custom certificates which are external to the Domino cluster. In addition to public services like AWS S3, you might want to use private services in your security domain that are secured with custom certificates or a custom certificate authority.

The following are examples of private services:

  • Docker registry

  • Git server

  • S3 service

  • LDAPs

  • OIDC

  • Data sources

About the Domino-custom-certificates ConfigMap

Domino checks for domino-custom-certificates ConfigMap in the Kubernetes cluster’s default namespace. This ConfigMap must have a key named bundle with plaintext data of a certificate bundle in PEM format. If the bundle exists, then Domino uses certificates from this bundle to connect to the external services.

Domino supports the following certificate types:

  • Custom Certificate Authority (CA): Certificates that certify the other certificates issued under this authority.

  • Self-signed certificates: Certificates that do not have a reference to the authority signing them.

The bundle is formatted as a series of concatenated certificates in PEM format. You must have the line breaks around the lines:

-----BEGIN CERTIFICATE—--

and

-----END CERTIFICATE—--

The bundle must contain all the certificates that you would typically use to connect to the private services, including intermediate and root certificates. Domino includes public certificates, such as DigiCert root certificates, by default so you do not have to include them. However, duplicate certificates will not cause any issues.

Add the PEM bundle to the ConfigMap

During Domino installation, you can add the contents of PEM bundle to the domino.yml configuration file with the top-level key custom_certificates. The following is an example:

...
custom_certificates: |
  -----BEGIN CERTIFICATE-----
  MIICKzCCAbGgAwIBAgIKe3G2gla4EnycqDAKBggqhkjOPQQDAzBaMQswCQYDVQQG
  EwJVUzETMBEGA1UECxMKZW1TaWduIFBLSTEUMBIGA1UEChMLZU11ZGhyYSBJbmMx
  IDAeBgNVBAMTF2VtU2lnbiBFQ0MgUm9vdCBDQSAtIEMzMB4XDTE4MDIxODE4MzAw
  MFoXDTQzMDIxODE4MzAwMFowWjELMAkGA1UEBhMCVVMxEzARBgNVBAsTCmVtU2ln
  biBQS0kxFDASBgNVBAoTC2VNdWRocmEgSW5jMSAwHgYDVQQDExdlbVNpZ24gRUND
  IFJvb3QgQ0EgLSBDMzB2MBAGByqGSM49AgEGBSuBBAAiA2IABP2lYa57JhAd6bci
  MK4G9IGzsUJxlTm801Ljr6/58pc1kjZGDoeVjbk5Wum739D+yAdBPLtVb4Ojavti
  sIGJAnB9SMVK4+kiVCJNk7tCDK93nCOmfddhEc5lx/h//vXyqaNCMEAwHQYDVR0O
  BBYEFPtaSNCAIEDyqOkAB2kZd6fmw/TPMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
  Af8EBTADAQH/MAoGCCqGSM49BAMDA2gAMGUCMQC02C8Cif22TGK6Q04ThHK1rt0c
  3ta13FaPWEBaLd4gTCKDypOofu4SQMfWh0/434UCMBwUZOR8loMRnLDRWmFLpg9J
  0wD8ofzkpf9/rdcw0Md3f76BB1UwUCAU9Vc4CqgxUQ==
  -----END CERTIFICATE-----
  -----BEGIN CERTIFICATE-----
  MIICTjCCAdOgAwIBAgIKPPYHqWhwDtqLhDAKBggqhkjOPQQDAzBrMQswCQYDVQQG
  EwJJTjETMBEGA1UECxMKZW1TaWduIFBLSTElMCMGA1UEChMcZU11ZGhyYSBUZWNo
  bm9sb2dpZXMgTGltaXRlZDEgMB4GA1UEAxMXZW1TaWduIEVDQyBSb290IENBIC0g
  RzMwHhcNMTgwMjE4MTgzMDAwWhcNNDMwMjE4MTgzMDAwWjBrMQswCQYDVQQGEwJJ
  TjETMBEGA1UECxMKZW1TaWduIFBLSTElMCMGA1UEChMcZU11ZGhyYSBUZWNobm9s
  b2dpZXMgTGltaXRlZDEgMB4GA1UEAxMXZW1TaWduIEVDQyBSb290IENBIC0gRzMw
  djAQBgcqhkjOPQIBBgUrgQQAIgNiAAQjpQy4LRL1KPOxst3iAhKAnjlfSU2fySU0
  WXTsuwYc58Byr+iuL+FBVIcUqEqy6HyC5ltqtdyzdc6LBtCGI79G1Y4PPwT01xyS
  fvalY8L1X44uT6EYGQIrMgqCZH0Wk9GjQjBAMB0GA1UdDgQWBBR8XQKEE9TMipuB
  zhccLikenEhjQjAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAKBggq
  hkjOPQQDAwNpADBmAjEAvvNhzwIQHWSVB7gYboiFBS+DCBeQyh+KTOgNG3qxrdWB
  CUfvO6wIBHxcmbHtRwfSAjEAnbpV/KlK6O3t5nYBQnvI+GDZjVGLVTv7jHvrZQnD
  +JbNR6iC8hZVdyR+EhCVBCyj
  -----END CERTIFICATE-----

The installer copies the contents of the custom certificates into the domino-custom-certificates ConfigMap.

Update the ConfigMap

After Domino is installed and running, you can recreate the domino-custom-certificates ConfigMap to update it. To do this, run the following commands:

kubectl delete configmap domino-custom-certificates
kubectl create configmap domino-custom-certificates --from-file=bundle

where bundle is the new certificate bundle in concatenated PEM format.

After changing the certificates, you must restart all services.

Tip

Upgrade Domino

When upgrading a Domino deployment to a new version, you can use the custom_certificates key in domino.yml to provide a new certificate bundle.

If the key is not yet specified, the installer will do the following:

  • Any existing domino-custom-certificates bundle will continue to be used, and can still be updated independently of the installer.

  • If there are no existing domino-custom-certificates ConfigMap, but the legacy domino-executor-certificates ConfigMap exists, it will be copied and upgraded to the new format/name.

Domino Data LabKnowledge BaseData Science BlogTraining
Copyright © 2022 Domino Data Lab. All rights reserved.