Configure TLS on Kubernetes
This page provides steps to configure TLS for your Appsmith deployment using a free Let's Encrypt
certificate.
Prerequisites
- A domain name.
- Ports 80 and 443 are open and accessible.
- A self-hosted Appsmith instance on Kubernetes. See the Kubernetes installation guide for installing Appsmith.
- Expose K8s to Internet.
Configure TLS (HTTPS) with Let's Encrypt
If you see permission errors when running these commands on Google Kubernetes Engine (GKE), refer to the official cert-manager documentation on how to elevate your permissions.
Follow these steps to configure TLS:
Get the
LoadBalancer
hostname with:kubectl get svc --namespace ingress-nginx ingress-nginx-controller -o jsonpath="{.status.loadBalancer.ingress[0].hostname}"
Confirm that you can access your Appsmith instance by browsing the hostname.
Create a
CNAME
record for theLoadBalancer
hostname in your DNS configuration.Add the repository with:
helm repo add jetstack https://charts.jetstack.io
Create a namespace for cert-manager with:
kubectl create namespace cert-manager
Create custom resource definitions with:
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.crds.yaml
Create a
ClusterIssuer
resource for Let's Encrypt certificates. Create a file with the below content. Replace the<EMAIL_ADDRESS>
placeholder with a valid email address. Save the file asletsencrypt-appsmith.yaml
.apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-appsmith
spec:
acme:
email: <EMAIL_ADDRESS>
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-appsmith
solvers:
- http01:
ingress:
class: nginxApply the changes to the cluster with:
kubectl apply -f letsencrypt-appsmith.yaml
Install cert-manager and set up
Let's Encrypt
as the default Certificate Authority (CA) with:helm install cert-manager --namespace cert-manager jetstack/cert-manager --version v1.5.3
Install Appsmith with integration to Ingress and cert-manager.
- Community Edition
- Commercial Edition
You can use the helm upgrade
command to update your Appsmith installation in one of two ways:
Use the below command to update Appsmith using Helm parameters. In this command, replace
<DOMAIN>
with your domain name.helm upgrade appsmith appsmith/appsmith \
--set service.type=ClusterIP \
--set ingress.enabled=true \
--set ingress.tls=true \
--set ingress.certManager=true \
--set ingress.annotations."cert-manager\.io/cluster-issuer"=letsencrypt-appsmith \
--set ingress.hosts[0].host=<DOMAIN> \
--set ingress.certManagerTls[0].hosts[0]=<DOMAIN> \
--set ingress.certManagerTls[0].secretName=letsencrypt-appsmith
--set ingress.className=nginxOr use `values.yaml file to update parameters. Follow these steps to update:
Open the
values.yaml
file and make the necessary changes to the parameters as shown below:ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-appsmith"
hosts:
- host: example.appsmith.com
tls: true
secrets: []
certManager: true
certManagerTls:
- hosts:
- example.appsmith.com
secretName: letsencrypt-appsmith
className: "nginx"Run the below command once the parameter values are updated:
helm upgrade -i appsmith -f values.yaml appsmith appsmith/appsmith
You can use the helm upgrade
command in one of the two ways:
- Use the below command to update Helm parameters. Replace
<DOMAIN>
with your domain name.
helm upgrade appsmith appsmith-ee/appsmith \
--set service.type=ClusterIP \
--set ingress.enabled=true \
--set ingress.tls=true \
--set ingress.certManager=true \
--set ingress.annotations."cert-manager\.io/cluster-issuer"=letsencrypt-appsmith \
--set ingress.hosts[0].host=<DOMAIN> \
--set ingress.certManagerTls[0].hosts[0]=<DOMAIN> \
--set ingress.certManagerTls[0].secretName=letsencrypt-appsmith
--set ingress.className=nginx
Or use the
values.yaml
file to update parameters. Follow these steps to update:- Open the
values.yaml
file, and make changes to the parameters as shown below:
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-appsmith"
hosts:
- host: example.appsmith.com
tls: true
secrets: []
certManager: true
certManagerTls:
- hosts:
- example.appsmith.com
secretName: letsencrypt-appsmith
className: "nginx"- Run the below command once the parameter values are updated:
helm upgrade -i appsmith -f values.yaml appsmith appsmith-ee/appsmith
- Open the
You can now access Appsmith via a secure TLS connection with a valid Let's Encrypt certificate. Verify this by opening the site in a browser.
Troubleshooting
If you’re having issues using Appsmith after configuring TLS, see the Unable to Access Appsmith guide.
If you continue to face issues, reach out to support@appsmith.com.