SSL/TLS encryption
BigHammer uses SSL/TLS (HTTPS) at the cluster edge to encrypt traffic between clients and the platform. TLS terminates on nginx Ingress — not on the Azure load balancer (L4 passthrough).
This page covers edge HTTPS certificates. PostgreSQL client SSL is separate — see postgresSSLMode in Platform Deployment and Key Vault Secrets.
Certificate lifecycle (Option A — Let's Encrypt)
- cert-manager proves domain control via DNS-01 (TXT records in Azure DNS).
- Let's Encrypt issues a certificate; cert-manager stores it in Kubernetes secret
<env>-az-bighammer-tls(name configurable). - PushSecret (External Secrets Operator) copies
tls.crt/tls.keyto Key Vault. - nginx Ingress mounts the Kubernetes TLS secret for HTTPS.
- Application pods (for example Keycloak) read PEM material from Key Vault via
global.remoteSecrets.tlsand ExternalSecrets.
Where certificates are stored
| Store | Name | Keys / format | Written by | Read by |
|---|---|---|---|---|
| Kubernetes Secret | <env>-az-bighammer-tls in bh-control-plane | tls.crt, tls.key (kubernetes.io/tls) | cert-manager (Certificate) or kubectl create secret tls | nginx Ingress |
| Key Vault | <env>-az-bighammer-tls-crt | PEM certificate | PushSecret (Option A) or az keyvault secret set (Option B) | bighammer ExternalSecrets → Keycloak and other consumers |
| Key Vault | <env>-az-bighammer-tls-key | PEM private key | PushSecret (Option A) or az keyvault secret set (Option B) | Same |
Default Key Vault secret names are configured in bighammer values:
global:
remoteSecrets:
tls:
cert: <env>-az-bighammer-tls-crt
key: <env>-az-bighammer-tls-key
See Key Vault Secrets.
How the bighammer chart references TLS
| Consumer | Mechanism | Values / template |
|---|---|---|
| nginx Ingress | spec.tls.secretName on bh-ingress | global.ingress.tlsSecretName |
| Keycloak | ExternalSecret pulls Key Vault PEM into pod secret | global.remoteSecrets.tls.cert / .key |
global:
ingress:
enabled: true
tlsSecretName: <env>-az-bighammer-tls
All hostnames listed under global.ingress.*HostName use this TLS secret on the single bh-ingress resource.
Keycloak does not read the Ingress TLS secret directly. It syncs certificate and key from Key Vault:
# ExternalSecret data keys (from chart template)
KC_HTTPS_CERTIFICATE_FILE → Key Vault: global.remoteSecrets.tls.cert
KC_HTTPS_CERTIFICATE_KEY_FILE → Key Vault: global.remoteSecrets.tls.key
Option A requires both the Kubernetes TLS secret (edge) and Key Vault copies (apps).
Option A — Let's Encrypt (cert-manager + DNS-01)
Best for: Dev / non-prod with a public Azure DNS zone.
Sample manifests in the Helm chart
The bighammer chart ships reference manifests under cert-manager/ (applied with kubectl, not via helm install):
| File | Kubernetes resource |
|---|---|
cert-manager/cluster-issuer.yaml | Issuer — Let's Encrypt + Azure DNS |
cert-manager/wildcard-cert.yaml | Certificate — wildcard request |
cert-manager/push-secret.yaml | PushSecret — sync to Key Vault |
tar -xzf bighammer-<version>.tgz
ls bighammer/cert-manager/
Prerequisites
| # | Requirement | Doc |
|---|---|---|
| 1 | cert-manager cert-manager-v1.19.2 in cluster | Prerequisites — add-ons |
| 2 | External Secrets Operator | External Secrets Operator |
| 3 | Workload Identity — ESO + cert-manager DNS access | Workload Identity |
| 4 | Azure DNS public zone for your domain | Infrastructure |
| 5 | cert-manager controller identity with DNS Zone Contributor on the zone | DNS-01 challenge |
| 6 | SecretStore/azure-secret-store in bh-control-plane | Created by bighammer chart or platform bootstrap |
| 7 | PushSecret-capable ESO version | Reference: ESO 0.18.x (PushSecret is v1alpha1) |
Provision — apply order
kubectl apply -f cluster-issuer.yaml
kubectl apply -f wildcard-cert.yaml
# Wait until Certificate is Ready and secret <env>-az-bighammer-tls exists
kubectl apply -f push-secret.yaml
Customize cluster-issuer.yaml for your Azure subscription, resource group, and DNS zone before apply.
Wire up bighammer values
global:
remoteSecrets:
tls:
cert: <env>-az-bighammer-tls-crt
key: <env>-az-bighammer-tls-key
ingress:
enabled: true
tlsSecretName: <env>-az-bighammer-tls
Renewal
Automatic — cert-manager renews ~30 days before expiry and updates the Kubernetes TLS secret. PushSecret propagates new PEM to Key Vault on its refreshInterval. No Helm value changes needed if secret names stay the same.
Option B — Private SSL/TLS certificate
Best for: Production, corporate CA, or environments without public DNS-01.
- Obtain wildcard or SAN certificate from your CA (PEM cert + key).
- Store in Key Vault (names must match
global.remoteSecrets.tls):
az keyvault secret set --vault-name <VAULT> \
--name <env>-az-bighammer-tls-crt --file wildcard.crt
az keyvault secret set --vault-name <VAULT> \
--name <env>-az-bighammer-tls-key --file wildcard.key
- Create the Kubernetes TLS secret in
bh-control-plane:
kubectl create secret tls <env>-az-bighammer-tls \
--cert=wildcard.crt \
--key=wildcard.key \
-n bh-control-plane
- Set
global.ingress.tlsSecretName: <env>-az-bighammer-tlsand re-runhelm upgrade.
Option B skips cert-manager manifests; you maintain renewal and Key Vault uploads manually.
Comparison
| Option A (Let's Encrypt) | Option B (Private cert) | |
|---|---|---|
| Cost | Free | CA-dependent |
| Automation | Full (cert-manager + PushSecret) | Manual renewal |
| DNS | Public Azure DNS + DNS-01 | Any DNS |
| K8s secret | cert-manager creates <env>-az-bighammer-tls | You create with kubectl |
| Key Vault | PushSecret populates crt/key secrets | You upload with az keyvault secret set |
| Manifests | 3 files in chart cert-manager/ | None |
| Prod fit | Dev / staging | Recommended for prod |
Verify TLS
kubectl get secret <env>-az-bighammer-tls -n bh-control-plane
kubectl get issuer,certificate,pushsecret -n bh-control-plane
kubectl get ingress -n bh-control-plane -o yaml | grep -A2 tls
curl -vI https://<your-hostname>
DNS records
TLS certificates prove hostname identity; clients still need DNS A records pointing to your load balancer:
kubectl get svc -n ingress-nginx
Hostnames must match certificate SANs (dnsNames in wildcard-cert.yaml or your private cert).
ClusterSecretStore (multi-namespace TLS)
If multiple namespaces (for example Airflow) need the same wildcard certificate, use a ClusterSecretStore to sync once from Key Vault. See the legacy page ClusterSecretStore for TLS for YAML examples.
Related
| Topic | Link |
|---|---|
| NGINX install | NGINX Ingress Deployment |
| Key Vault mapping | Key Vault Secrets |
| Platform deploy | Platform Deployment |