Enabling SSL for Runtime

New
  • Published on Oct 27, 2025
  • 2 minute(s) read
Prev Next

Enabling SSL ensures secure communication between the PlainID Runtime and external components by encrypting all traffic over HTTPS. This article explains how to configure SSL for the Runtime component in both Kubernetes and Standalone deployments.

The process includes creating SSL certificates, configuring environment variables, enabling HTTPS, and updating probes and ports accordingly.

Prerequisites

Before starting, ensure you have:

  • A valid SSL certificate and private key (self-signed or issued by a trusted authority).
  • Access to your Kubernetes cluster or Standalone environment configuration.
  • Permissions to modify Runtime Helm chart values or environment variables.

Configuration

1. Create an SSL Certificate Secret
Prepare your private key and server certificate, and store them as a Kubernetes Secret. This can be done as part of the Helm Chart using extraManifests (refer to the complete example at the bottom of this page).

  • Kubernetes: Store the certificate and key as a Kubernetes Secret. Configure this using extraManifests in your Helm chart.
  • Standalone: Specify the file system path to the certificate and private key directly in your configuration.

2. Configure Java Keystore Environment Variables
Modify the required environment variables for configuring the Java keystore:

  • runtime.extraEnv.RTCONF_SSL__KEYSTORE_PATH – Path inside the container for the Java keystore.
  • runtime.extraEnvSecrets.RTCONF_SSL__KEYSTORE_PASSWORD – Password for the Java keystore.

For Standalone deployments, manually create and populate this keystore.

3. Enable SSL in the Application
Configure the Runtime to enable SSL:

runtime:
  extraEnv:
    RTCONF_SSL__IS_HTTPS: "true"

4. Configure Custom Health Check Port (Optional)
Set a custom port for the health check API endpoint:

runtime:
  extraEnv:
    RTCONF_SERVICE_MGMT_PORT: "3000"

5. Change Health Check Probes to Use HTTPS
When SSL is enabled, configure the probes to use the HTTPS scheme.

  • For Standalone deployments, ensure your health check client supports HTTPS and targets the correct port and certificate configuration.

Note:
Kubernetes does not validate the certificate. For more details, see the Kubernetes documentation.

runtime:
  livenessProbe:
    scheme: "HTTPS"
  readinessProbe:
    scheme: "HTTPS"

6. Mount SSL Certificates
Mount the certificates from the secret created in step 1:

runtime:
  extraVolumes:
    - name: runtime-ssl-certificate
      secret:
        secretName: runtime-ssl-certificate
  extraVolumeMounts:
    - mountPath: "/app/ssl"
      name: runtime-ssl-certificate
      readOnly: true

7. Configure Runtime Command
Modify the runtime pod command to import the certificate to the Java keystore before starting the application:

runtime:
  command:
    - /bin/sh
    - -ec
    - |
      openssl pkcs12 -export -out /tmp/placceholder.p12 -inkey /app/ssl/server.key -in /app/ssl/server.crt -password pass:${RTCONF_SSL__KEYSTORE_PASSWORD}
      keytool -importkeystore -deststorepass ${RTCONF_SSL__KEYSTORE_PASSWORD} -destkeystore ${RTCONF_SSL__KEYSTORE_PATH} -srckeystore /tmp/placceholder.p12 -srcstoretype PKCS12 -srcstorepass ${RTCONF_SSL__KEYSTORE_PASSWORD}
      java ${JVM_OPTS} --add-exports java.base/sun.security.util=ALL-UNNAMED -Dconf.file=${RUNTIME_CONFIG_PATH} -Dconf.format=json -Dlog4j.configurationFile=${RUNTIME_LOG4J_PATH} -Djava.net.preferIPv4Stack=true -jar theruntime.jar

Note:
In the example above, server.crt and server.key are injected from the secret.

Complete Configuration Example

runtime:
  livenessProbe:
    scheme: "HTTPS"
  readinessProbe:
    scheme: "HTTPS"
  extraEnv:
    RTCONF_SSL__IS_HTTPS: "true"
    RTCONF_SSL__KEYSTORE_PATH: "/usr/lib/jvm/default-jvm/lib/security/cacerts"
    RTCONF_SERVICE_MGMT_PORT: "3000"
  extraEnvSecrets:
    RTCONF_SSL__KEYSTORE_PASSWORD: "changeit"
  command:
    - /bin/sh
    - -ec
    - |
      openssl pkcs12 -export -out /tmp/placceholder.p12 -inkey /app/ssl/server.key -in /app/ssl/server.crt -password pass:${RTCONF_SSL__KEYSTORE_PASSWORD}
      keytool -importkeystore -deststorepass ${RTCONF_SSL__KEYSTORE_PASSWORD} -destkeystore ${RTCONF_SSL__KEYSTORE_PATH} -srckeystore /tmp/placceholder.p12 -srcstoretype PKCS12 -srcstorepass ${RTCONF_SSL__KEYSTORE_PASSWORD}
      java ${JVM_OPTS} --add-exports java.base/sun.security.util=ALL-UNNAMED -Dconf.file=${RUNTIME_CONFIG_PATH} -Dconf.format=json -Dlog4j.configurationFile=${RUNTIME_LOG4J_PATH} -Djava.net.preferIPv4Stack=true -jar theruntime.jar
  extraVolumes:
    - name: runtime-ssl-certificate
      secret:
        secretName: runtime-ssl-certificate
  extraVolumeMounts:
    - mountPath: "/app/ssl"
      name: runtime-ssl-certificate
      readOnly: true
  extraManifests:
    - apiVersion: v1
      kind: Secret
      metadata:
        name: runtime-ssl-certificate
        namespace: manual-test
      type: Opaque
      stringData:
        server.key: |
          -----BEGIN PRIVATE KEY-----
...
          -----END PRIVATE KEY-----
        server.crt: |
          -----BEGIN CERTIFICATE-----
...
          -----END CERTIFICATE-----

Enabling SSL for the Runtime secures communication between components and external systems by enforcing HTTPS. Once configured, verify that the Runtime service is accessible through the secure port and that your probes and clients are updated to use HTTPS.

For production environments, always use certificates issued by a trusted Certificate Authority and rotate them periodically to maintain compliance and security best practices.