Configure secure HTTPS access to your TrueFoundry deployment
This guide explains how to configure TLS certificates to enable secure HTTPS access to your TrueFoundry deployment. We’ll cover multiple approaches based on your cloud provider.
Cloud Provider | Recommended Method | Alternative Methods | Reference Guide |
---|---|---|---|
AWS | AWS Certificate Manager | cert-manager with DNS validation | AWS DNS & TLS Setup |
GCP | cert-manager with Cloud DNS | Manual certificate files | GCP DNS & TLS Setup |
Azure | cert-manager with Azure DNS | Manual certificate files | Azure DNS & TLS Setup |
Generic | Manual certificate files | cert-manager with Let’s Encrypt | Generic Cluster Setup |
When running TrueFoundry on AWS EKS, you have two options for TLS termination:
For production AWS deployments, terminating TLS at the Network Load Balancer using AWS Certificate Manager (ACM) is recommended for best performance and manageability.
Create a certificate in ACM:
*.example.com
)Validate domain ownership:
Add the CNAME records provided by ACM to your DNS provider
Wait for the certificate to change to “Active” status (this may take 30 minutes or longer)
Copy the certificate ARN for the next step (format will be like: arn:aws:acm:region:account:certificate/certificate-id
)
Apply the certificate to your TrueFoundry deployment:
Configure domain routing:
For GCP deployments, we recommend using cert-manager with Let’s Encrypt and GCP Cloud DNS for automatic certificate issuance and renewal.
Prerequisites
This approach requires workload identity to be enabled on your GKE cluster. For clusters created through Terraform code generated by TrueFoundry, this is enabled by default.
Add the nameservers from the output to your domain registrar (GoDaddy, Namecheap, etc.).
If using an existing DNS zone, you can list all zones and find yours:
Note: If you installed your cluster using Terraform code generated by the TrueFoundry platform, cert-manager is already installed and configured correctly. You can skip this step and proceed to Step 4.
In the TrueFoundry platform, navigate to Integrations
Select your cluster
Click the three dots and select Manage Applications
Install cert-manager if not already installed
If already installed, edit its configuration:
Replace placeholders with your actual values.
Get your cluster credentials:
Create an issuer for Let’s Encrypt:
Request a certificate:
Check certificate status:
If the certificate remains in a non-ready state for more than 10 minutes, check the cert-manager logs:
In the TrueFoundry platform, navigate to Deployments > Helm
Filter for your cluster and select tfy-istio-ingress
Update the configuration:
example.com
)For Azure deployments, we use cert-manager with Let’s Encrypt and Azure DNS for automated certificate management.
If needed, enable workload identity on your AKS cluster:
Create a DNS zone (or use existing one):
Add the nameservers from the output to your domain registrar.
If using an existing DNS zone:
In TrueFoundry, navigate to Integrations > [Your Cluster] > Manage Applications
Install cert-manager if not already installed
Configure with these values:
Get your cluster credentials:
Create an issuer:
Request a certificate:
Check certificate status:
Follow the same configuration steps as in the GCP section to set up your ingress gateway with the TLS certificate.
example.com
)For generic Kubernetes clusters, you can use cert-manager with Let’s Encrypt to automatically issue and manage certificates.
To install cert-manager through TrueFoundry’s Addon/Helm section:
Add the following VirtualService
to ensure ACME HTTP-01 challenge requests are routed correctly to the cert-manager solver:
Notes:
<your-domain-here>
with your actual domain (e.g., example.com
or *.example.com
).host
under destination
should match the name of the cert-manager solver service. It is usually cm-acme-http-solver
, but you can confirm this by running:
istio-system
).If you have your own certificate files (e.g., from another certificate provider or self-signed), you can use them directly with TrueFoundry.
This method is particularly useful for generic Kubernetes deployments or when you want to use certificates issued by your organization’s certificate authority.
If you already have certificate and key files:
Create a Kubernetes secret with your certificate and key:
Alternatively, you can create the secret using a YAML definition:
Tip
To encode your certificate and key files in base64:
Configure the ingress gateway to use your certificate:
For testing or internal use, you can generate self-signed certificates:
Then configure your gateway to use the self-signed-tls
secret as shown in Option 1.
⚠️Warning
Self-signed certificates will cause browser warnings. They should only be used for testing or internal systems.
Configure secure HTTPS access to your TrueFoundry deployment
This guide explains how to configure TLS certificates to enable secure HTTPS access to your TrueFoundry deployment. We’ll cover multiple approaches based on your cloud provider.
Cloud Provider | Recommended Method | Alternative Methods | Reference Guide |
---|---|---|---|
AWS | AWS Certificate Manager | cert-manager with DNS validation | AWS DNS & TLS Setup |
GCP | cert-manager with Cloud DNS | Manual certificate files | GCP DNS & TLS Setup |
Azure | cert-manager with Azure DNS | Manual certificate files | Azure DNS & TLS Setup |
Generic | Manual certificate files | cert-manager with Let’s Encrypt | Generic Cluster Setup |
When running TrueFoundry on AWS EKS, you have two options for TLS termination:
For production AWS deployments, terminating TLS at the Network Load Balancer using AWS Certificate Manager (ACM) is recommended for best performance and manageability.
Create a certificate in ACM:
*.example.com
)Validate domain ownership:
Add the CNAME records provided by ACM to your DNS provider
Wait for the certificate to change to “Active” status (this may take 30 minutes or longer)
Copy the certificate ARN for the next step (format will be like: arn:aws:acm:region:account:certificate/certificate-id
)
Apply the certificate to your TrueFoundry deployment:
Configure domain routing:
For GCP deployments, we recommend using cert-manager with Let’s Encrypt and GCP Cloud DNS for automatic certificate issuance and renewal.
Prerequisites
This approach requires workload identity to be enabled on your GKE cluster. For clusters created through Terraform code generated by TrueFoundry, this is enabled by default.
Add the nameservers from the output to your domain registrar (GoDaddy, Namecheap, etc.).
If using an existing DNS zone, you can list all zones and find yours:
Note: If you installed your cluster using Terraform code generated by the TrueFoundry platform, cert-manager is already installed and configured correctly. You can skip this step and proceed to Step 4.
In the TrueFoundry platform, navigate to Integrations
Select your cluster
Click the three dots and select Manage Applications
Install cert-manager if not already installed
If already installed, edit its configuration:
Replace placeholders with your actual values.
Get your cluster credentials:
Create an issuer for Let’s Encrypt:
Request a certificate:
Check certificate status:
If the certificate remains in a non-ready state for more than 10 minutes, check the cert-manager logs:
In the TrueFoundry platform, navigate to Deployments > Helm
Filter for your cluster and select tfy-istio-ingress
Update the configuration:
example.com
)For Azure deployments, we use cert-manager with Let’s Encrypt and Azure DNS for automated certificate management.
If needed, enable workload identity on your AKS cluster:
Create a DNS zone (or use existing one):
Add the nameservers from the output to your domain registrar.
If using an existing DNS zone:
In TrueFoundry, navigate to Integrations > [Your Cluster] > Manage Applications
Install cert-manager if not already installed
Configure with these values:
Get your cluster credentials:
Create an issuer:
Request a certificate:
Check certificate status:
Follow the same configuration steps as in the GCP section to set up your ingress gateway with the TLS certificate.
example.com
)For generic Kubernetes clusters, you can use cert-manager with Let’s Encrypt to automatically issue and manage certificates.
To install cert-manager through TrueFoundry’s Addon/Helm section:
Add the following VirtualService
to ensure ACME HTTP-01 challenge requests are routed correctly to the cert-manager solver:
Notes:
<your-domain-here>
with your actual domain (e.g., example.com
or *.example.com
).host
under destination
should match the name of the cert-manager solver service. It is usually cm-acme-http-solver
, but you can confirm this by running:
istio-system
).If you have your own certificate files (e.g., from another certificate provider or self-signed), you can use them directly with TrueFoundry.
This method is particularly useful for generic Kubernetes deployments or when you want to use certificates issued by your organization’s certificate authority.
If you already have certificate and key files:
Create a Kubernetes secret with your certificate and key:
Alternatively, you can create the secret using a YAML definition:
Tip
To encode your certificate and key files in base64:
Configure the ingress gateway to use your certificate:
For testing or internal use, you can generate self-signed certificates:
Then configure your gateway to use the self-signed-tls
secret as shown in Option 1.
⚠️Warning
Self-signed certificates will cause browser warnings. They should only be used for testing or internal systems.