Skip to content

Ingress certification

The kdb Insights Enterprise uses ingress in order to route external client requests into the application. TLS certificates are used to secure this communication and must be provisioned for the application. There are two supported modes of doing this as part of the install (link).


In this mode kdb Insights Enterprise will use cert-manager to issue certificates. This is the default mode.


In some cases it may be preferable to self-manage certificates, especially if there is a preference to use a cert authority not supported by cert-manager, e.g. DigiCert. The certificates must be provisioned outside the application and deployed to the cluster. Within this option there are a couple of available modes described below.

User-provided cert

For this mode you will need a TLS certificate and key. These can be generated by a trusted CA or self-signed. These are passed as options to the CLI as part of the install and will persist them to a Kubernetes secret for the application to use.

kxi install setup --ingress-cert <CA_CRT_PATH> --ingress-key <CA_KEY_PATH>
Checking ingress configuration...
Using ingress.cert <CA_CRT_PATH> from command line option
Using ingress.key <CA_KEY_PATH> from command line option
Secret kxi-ingress-cert successfully created

Using an existing secret

If you already have a Kubernetes secret containing your self-managed certificate, then you can point the install at this.

kxi install setup --ingress-cert-secret <INGRESS_SECRET_NAME>
Checking ingress configuration...
Using existing valid secret <INGRESS_SECRET_NAME>

Ingress default certificate

If your ingress controller is configured with a TLS certificate, you may want to use this for your deployment. This can be enabled by passing the --ingress-certmanager-disabled flag to the install. This disables cert manager and doesn't configure any certificate for the application ingress, hence inheriting the ingress controller default.

kxi install setup --ingress-certmanager-disabled


Ingress certs may need to be rotated e.g. for security or expiry reasons. Self-managed certs need to be manually renewed by updating the kubernetes secret with the latest cert and key.

kubectl delete secret kxi-ingress-cert
kubectl create secret kxi-ingress-cert --cert=<CA_CRT_PATH> --key=<CA_KEY_PATH>