Version: 0.29.0

TLS and Certificates

TLS configuration

By default the dashboard will listen on 0.0.0.0:9001 with TLS disabled and without exposing any external connection.

Exposing services without TLS if not recommended. Without a certificate, a user can't be sure they are using the right service, and the traffic will be easily monitored, or even tampered with. All communication between the user and an endpoint with TLS will be encrypted.

To expose an external connection, you must first configure TLS. TLS termination can be provided via an ingress controller or directly by the dashboard. In either case, the Helm Release must be updated. To have the dashboard itself handle TLS, you must create a tls secret containing the cert and key:

kubectl create secret tls my-tls-secret \
  --cert=path/to/cert/file \
  --key=path/to/key/file

and reference it from the helm release:

  values:
    serverTLS:
      enabled: true
      secretName: "my-tls-secret"

If you prefer to delegate TLS handling to the ingress controller instead, your helm release should look like:

  values:
    ingress:
      enabled: true
      ... other parameters specific to the ingress type ...

cert-manager

Install cert-manager and request a Certificate in the flux-system namespace. Provide the name of secret associated with the certificate to the weave-gitops-enterprise HelmRelease as described above.

TLS configuration​

cert-manager​

TLS configuration

cert-manager