Configuring HTTPS for DCT

This page describes how to configure or replace the HTTPS certificate for DCT based on your deployment scenario.

These instructions apply to the user-deployed, containerized version of DCT, like Kubernetes, OpenShift, or legacy Docker (EOL) based deployments.

For DCT Appliance deployments, see the Configuring network settings page, which are also applicable to DCT deployments via OVA image.

DCT can be deployed either with direct HTTPS termination (no Ingress controller) or behind an Ingress controller (common in Kubernetes and cloud environments).

Use the section that matches your deployment method.

Direct HTTPS by DCT:

DCT listens directly for HTTPS traffic and manages its own TLS certificate.

HTTPS via Ingress Controller:

An Ingress controller (such as NGINX Ingress or AWS ALB) manages HTTPS/TLS termination and routes unencrypted traffic to DCT.

Replace HTTPS certificate when DCT terminates TLS

To enable HTTPS for all other deployment methods, DCT creates a unique self-signed certificate when starting for the first time. This certificate and private key are configured in the values.yaml file under:

Copy

proxy:
    crt:<certificate_value>    key:<private_key_value>

To use your own certificates, these default values need to be replaced. They are Base64 encoded values of the certificate and key, respectively.

To generate the Base64 encoded value of the certificate:
Copy
```
cat my_cert_file.pem | base64 -w 0
```
To generate the Base64 encoded value of the key:
Copy
```
cat my_private_key.key | base64 -w 0
```

Generating a new TLS certificate and private key could require the assistance of your Security or IT departments. A new key pair (public and private key) will need to be created, in addition to a certificate signing request (CSR) for that key pair. Your IT department should be able to determine the correct certificate authority (CA) to sign the CSR and produce the new certificate. The common name of the certificate should match the fully qualified domain name (FQDN) of the host, as well as the FQDN as a Subject Alternative Name (SAN).

After changing the crt and key values in values.yaml file. Run the HELM upgrade command:
Copy
```
helm upgrade -f values.yaml dct-services delphix-dct
```
After upgrading the helm chart, restart the proxy pod to pick the new certificates:
Copy
```
kubectl rollout restart deployment proxy -n dct-services
```

Replace HTTPS certificate when using an Ingress controller

If your deployment uses an Ingress controller (recommended for Kubernetes and cloud), HTTPS/TLS is terminated at the Ingress, and DCT communicates over HTTP within the cluster.

Disable internal TLS on DCT by editing your Helm values or deployment manifest to disable SSL. For example, in values.yaml:
Copy
```
useSSL: false
```
1. Apple the change:
  Copy
```
helm upgrade dct-services -f values.yaml delphix-dct
```

Install your certificate with the Ingress controller:

NGINX Ingress example:

Create a Kubernetes TLS secret containing your certificate and key:

Copy

kubectl create secret tls dct-tls-secret --cert=your-cert.crt --key=your-key.key -n <namespace>

Reference the secret in your Ingress resource:

Copy

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: dct-ingress
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
  tls:
    - hosts:
        - dct.example.com
      secretName: dct-tls-secret
  rules:
    - host: dct.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: proxy
                port:
                  number: 80

AWS ALB Ingress example:
1. Configure the alb.ingress.kubernetes.io/certificate-arn annotation and reference your ACM certificate ARN.
Other Ingress Controllers:
1. Refer to the documentation for your specific Ingress controller.

Access DCT at the HTTPS URL provided by your Ingress. Confirm the new certificate is active.