Documentation Index

Fetch the complete documentation index at: https://kb.vastdata.com/llms.txt

Use this file to discover all available pages before exploring further.

Configuring SSL Encryption for VAST COSI Driver

Prev Next

Overview

You can secure the connection between VAST COSI Driver and the VAST cluster with SSL encryption as follows:

  1. Enable SSL encryption.

  2. Do one of the following to install an SSL certificate:

    • If you want to use a Certified Authority-signed SSL certificate, upload it to the VAST cluster. Follow the SSL certificate upload procedure provided in the VAST Cluster Administrator's Guide.

    • If you want to use a self-signed SSL certificate, supply it to the VAST driver.

Enable SSL Encryption

By default, SSL encryption is disabled.

To enable SSL encryption:

  1. Add the verifySsl=true option to the VAST COSI Driver chart configuration file, for example:

    secretName: "vast-mgmt"
    endpoint: "my.endpoint"
    verifySsl: true
    <...>
  2. Install or upgrade the VAST COSI Driver Helm chart.

Uploading a CA-Signed SSL Certificate to VAST Cluster

Follow the guidelines provided in the VAST Cluster Administrator's Guide to upload a CA-signed SSL certificate to the VAST cluster.

Supplying a Self-Signed SSL Certificate to VAST COSI Driver

You can either point to a file that contains a self-signed SSL certificate file, or specify an existing Kubernetes secret that contains the certificate. These two methods are mutually exclusive.

Do either of the following:

  • Install or upgrade the VAST COSI Driver Helm chart with the --set-file sslCert=<path to certificate file> option specified, for example:

    helm install cosi-driver vastcosi/vastcosi -f values.yaml --set-file sslCert=<path to certificate file>

OR

  • Create a Kubernetes secret with the SSL certificate and specify the secret using the  sslCertsSecretName option in the VAST COSI Driver Helm chart configuration file:

    1. Create a Kubernetes secret that contains the SSL certificate, for example:

      kubectl create secret generic vast-ca --from-file=ca-bundle.crt=<path to certificate file>
    2. Specify the newly created secret on the sslCertsSecretName option in the configuration file, for example:

      secretName: "vast-mgmt"
      endpoint: "my.endpoint"
      verifySsl: true
      sslCertsSecretName: "vast-ca"
      <...>
    3. Install or upgrade the VAST driver Helm chart (without specifying --set-file sslCert).

Replacing a Self-Signed SSL Certificate for VAST COSI Driver

Choose either of the following, depending on how you supplied the old self-signed SSL certificate:

  • If you supplied the old SSL certificate using the --set-file sslCert option on the Helm chart install or upgrade command:

    • Upgradethe Helm chart with --set-file sslCert pointing to the new SSL certificate file. For example:

      helm upgrade cosi-driver vastcosi/vastcosi -f values.yaml --set-file sslCert=<path to new certificate>

OR

  • If the old SSL certificate was supplied via sslCertsSecretName  in the VAST COSI Driver Helm chart configuration file:

    1. Create a new Kubernetes secret with the new SSL certificate:

      kubectl create secret generic vast-ca-new --from-file=ca-bundle.crt=<path to new certificate file>
    2. Ensure that the new SSL certificate is specified on the  sslCertsSecretName option in the VAST COSI Driver Helm chart configuration file:

      secretName: "vast-mgmt"
      endpoint: "my.endpoint"
      verifySsl: true
      sslCertsSecretName: "vast-ca-new"
      <...>
    3. Upgrade the Helm chart, for example:

      helm upgrade cosi-driver vastcosi/vastcosi -f values.yaml

Removing a Self-Signed SSL Certificate from VAST COSI Driver

Choose either of the following, depending on how you supplied the self-signed SSL certificate:

  • If you used --set-file sslCert to supply the SSL certificate:

    • Upgradethe Helm chart without the --set-file sslCert option specified. For example:

      helm upgrade cosi-driver vastcosi/vastcosi -f values.yaml

OR

  • If the old SSL certificate was supplied via sslCertsSecretName:

    1. Remove the sslCertsSecretName option from the VAST COSI Driver Helm chart configuration file.

    2. Upgrade the Helm chart (without specifying --set-file sslCert), for example:  

      helm upgrade cosi-driver vastcosi/vastcosi -f values.yaml