Custom TLS certificate

🚧
Quick navigation
Jump to:
Prerequisites | Supported TLS certificate types | Configure your custom TLS certificate | Access Orka from your custom domain | Access Orka from any domain | Limitations

You can use your own TLS certificate (with a domain such as company.com) to access your Orka environment instead of the custom Orka domain (such as company.orka.app) and instead of the default Orka endpoints (10.221.188.100 or 10.10.10.100)

Custom TLS certificates provide an additional level of security and compliance. They require access via HTTPS.

Prerequisites

Before you begin, you must have your own certificate and private key file that meet the following requirements:

Both files are in PEM format.
The certificate can be a bundle that contains your server, intermediates, and root certificates concatenated (in the proper order) into one file. The necessary certificates must be enabled as trusted certificates on the clients that connect to the cluster.
The private key is not passphrase protected.

Supported TLS certificate types

Orka allows you to use any of the following TLS certificates:

Single domain TLS certificate with a domain name such as company.com.
Multi-domain TLS certificate with domain names such as app1.company.com, app2.company.com, etc...
Wildcard TLS certificate with a domain name such as *.company.com.

🚧
NOTE:
The asterisk (*) must be in the leftmost position of the domain name. It is impossible to use a double wildcard certificate for a domain (for example, *.*.company.com).

Configure your custom TLS certificate

Connect to your cluster via VPN. For more information, see VPN Connection.
Make sure you generate your own custom TLS certificate and private key.
Ensure you have the Orka license key available in your IP Plan.
Send a POST request to http://<orka-api-url>/resources/cert/set with the certPath and keyPath files attached in the request. Replace the <full-path-to-the-certificate> and <full-path-to-the-private-key> placeholders as needed.

curl -X POST 'http://<orka-api-url>/resources/cert/set' \
--header 'Content-Type: multipart/form-data' \
--header 'Authorization: Bearer <token>' \
--header 'orka-licensekey: <license key>' \
--form 'certPath=@<full-path-to-the-certificate>' \
--form 'keyPath=@<full-path-to-the-private-key>'

Add an A/AAAA record in your DNS settings that map your custom domain name to the Orka ingress IP address.

📘
What's the Orka ingress IP address?
The Orka ingress IP address is the .241 address for the Private-1 network from your IP Plan. For example: 10.221.188.241 or 10.10.10.241.

Access Orka from your custom domain

For the Orka API, change your API requests to target https://<your-custom-domain>.
For the Orka CLI, run orka config and change the URL setting to https://<your-custom-domain>.
For the Orka Web UI, open https://<your-custom-domain> in your browser.
For CI/CD integrations, switch to https://<your-custom-domain> in the respective plugin configuration.

You need to use https with your custom TLS domain.

📘
TIP
You can use your Orka API endpoint (http://10.10.10.100 or http://10.221.188.100) and your custom TLS domain (https://company.com) interchangeably in your workflows.

Access Orka from any domain

Generate a self-signed TLS certificate by running openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes and following the prompts
Upload the self-signed certificate to the Orka server using the steps here
Ensure the self-signed TLS certificate is trusted according to your configuration.

For example:

For the requests to the Orka API, trust the certificate on your local system.
For the Orka CLI, run export NODE_EXTRA_CA_CERTS=<path-to-your-self-signed-certificate> and then run orka config
For the Orka Web UI, add the certificate to the trusted store of your browser.

Limitations

You cannot use Orka app domain together with a custom TLS certificate.
You cannot use more than one custom TLS certificate at the same time.
You can use a custom TLS certificate only if your environment is updated to Orka 1.5.0 or later.