Merge pull request #5230 from loshan20011/master

himeshsiriwardana · web-flow · commit 0544ef6e4bfc · 2025-04-10T16:33:34.000+05:30
diff --git a/en/identity-server/7.1.0/docs/deploy/deploy-is-in-kubernetes.md b/en/identity-server/7.1.0/docs/deploy/deploy-is-in-kubernetes.md
@@ -0,0 +1 @@
+{% include "../../../../includes/deploy/deploy-is-in-kubernetes.md" %}
diff --git a/en/identity-server/7.1.0/mkdocs.yml b/en/identity-server/7.1.0/mkdocs.yml
@@ -815,6 +815,7 @@ nav:
       - Deploy:
         - Deployment patterns: deploy/deployment-guide.md
         - Deployment checklist: deploy/deployment-checklist.md
+        - Deploy in Kuberenetes: deploy/deploy-is-in-kubernetes.md
         - WSO2 clusters with Nginx: deploy/front-with-the-nginx-load-balancer.md
         - Databases for clustering: deploy/set-up-separate-databases-for-clustering.md
         - Change the hostname: deploy/change-the-hostname.md
diff --git a/en/identity-server/next/docs/deploy/deploy-is-in-kubernetes.md b/en/identity-server/next/docs/deploy/deploy-is-in-kubernetes.md
@@ -0,0 +1 @@
+{% include "../../../../includes/deploy/deploy-is-in-kubernetes.md" %}
diff --git a/en/identity-server/next/mkdocs.yml b/en/identity-server/next/mkdocs.yml
@@ -815,6 +815,7 @@ nav:
       - Deploy:
         - Deployment patterns: deploy/deployment-guide.md
         - Deployment checklist: deploy/deployment-checklist.md
+        - Deploy in Kuberenetes: deploy/deploy-is-in-kubernetes.md
         - WSO2 clusters with Nginx: deploy/front-with-the-nginx-load-balancer.md
         - Databases for clustering: deploy/set-up-separate-databases-for-clustering.md
         - Change the hostname: deploy/change-the-hostname.md
diff --git a/en/includes/deploy/deploy-is-in-kubernetes.md b/en/includes/deploy/deploy-is-in-kubernetes.md
@@ -38,9 +38,55 @@ Ensure that the specified namespace exists or create a new one using the followi
 kubectl get namespace $NAMESPACE || kubectl create namespace $NAMESPACE
 ```
 
+## Create a Kubernetes TLS secret
+
+To enable secure HTTPS communication for your service (e.g., WSO2 Identity Server) within the Kubernetes cluster, you need to provide a TLS certificate and key. Kubernetes uses these to serve traffic over HTTPS using Ingress controllers or other resources that terminate TLS.
+
+If you already have an SSL certificate and its private key (typically in .crt and .key format), you can create a Kubernetes TLS secret using the following command:
+
+```shell
+kubectl create secret tls is-tls \
+--cert=path/to/cert/file \
+--key=path/to/key/file \
+-n $NAMESPACE
+```
+
+- `is-tls` is the name of the secret.
+
+- Replace `path/to/cert/file` and `path/to/key/file` with the actual paths to your certificate and key.
+
+!!! note
+
+    - Ensure that the certificate includes `localhost` as a Subject Alternative Name (SAN) to support B2B related use cases without triggering certification validation errors.
+    - When generating the keystore, use the default password `wso2carbon`.
+
+## Create a Kubernetes secret for Java Keystore files
+
+To support secure communication and cryptographic operations, the deployment requires four Java keystore files. These keystores are mounted into the container and used for tasks such as internal encryption, message signing, TLS, and trust validation.
+
+- **Internal keystore (internal.p12):** Used for encrypting/decrypting internal data.
+- **Primary keystore (primary.p12):** Certificates used for signing messages that are communicated with external parties (such as SAML, OIDC id_token signing).
+- **TLS keystore (tls.p12):** Used for TLS communication.
+- **Client truststore (client-truststore.p12):** Certificates of trusted third parties.
+
+```shell
+kubectl create secret generic keystores \
+--from-file=internal.p12 \
+--from-file=primary.p12 \
+--from-file=tls.p12 \
+--from-file=client-truststore.p12 \
+-n $NAMESPACE
+```
+
+!!! note
+
+    - Make sure to import the public key certificates of all three keystores into the truststore (client-truststore.p12).
+    - To learn how to create these keystores and truststores, refer to [Create New Keystores]({{base_path}}/deploy/security/keystores/create-new-keystores/).
+    - The `tls.p12` file used here should contain the same certificate and key that were used to create the `is-tls` TLS secret above, to ensure consistency in TLS communication.
+
 ## Install the Helm chart
 
-There are two ways to install the {{product_name}} Helm chart. The Helm chart source code can be found in the [kubernets-is repository](https://github.com/wso2/kubernetes-is/tree/master){:target=" _blank"}.
+There are two ways to install the {{product_name}} using the Helm chart. The Helm chart source code can be found in the [kubernetes-is repository](https://github.com/wso2/kubernetes-is/tree/master){:target=" _blank"}.
 
 ### Option 1: Install the chart from the Helm repository
 1. Add the WSO2 Helm chart repository
@@ -54,21 +100,23 @@ There are two ways to install the {{product_name}} Helm chart. The Helm chart so
 2. Install the Helm chart from the Helm repository.
 {% if is_version == "7.0.0" %}
     ```shell
-    helm install "$RELEASE_NAME" wso2/identity-server --version {{is_version}}-2 \
-    -n "$NAMESPACE" \
+    helm install $RELEASE_NAME wso2/identity-server --version {{is_version}}-2 \
+    -n $NAMESPACE \
     --set deployment.image.registry="wso2" \
     --set deployment.image.repository="wso2is" \
     --set deployment.image.tag="{{is_version}}" \
-    --set deployment.apparmor.enabled="false"
+    --set deployment.apparmor.enabled="false" \
+    --set deployment.externalJKS.enabled="true"
     ```
     {% else %}
     ```shell
-    helm install "$RELEASE_NAME" wso2/identity-server --version {{is_version}}-1 \
-    -n "$NAMESPACE" \
+    helm install $RELEASE_NAME wso2/identity-server --version {{is_version}}-1 \
+    -n $NAMESPACE \
     --set deployment.image.registry="wso2" \
     --set deployment.image.repository="wso2is" \
     --set deployment.image.tag="{{is_version}}" \
-    --set deployment.apparmor.enabled="false"
+    --set deployment.apparmor.enabled="false" \
+    --set deployment.externalJKS.enabled="true"
     ```
 {% endif %}
 
@@ -99,11 +147,12 @@ If you prefer to build the chart from the source, follow the steps below:
 2. Install the Helm chart from the cloned repository:
 
     ```shell
-    helm install "$RELEASE_NAME" -n "$NAMESPACE" . \
+    helm install $RELEASE_NAME -n $NAMESPACE . \
     --set deployment.image.registry="wso2" \
     --set deployment.image.repository="wso2is" \
     --set deployment.image.tag="{{is_version}}" \
-    --set deployment.apparmor.enabled="false"
+    --set deployment.apparmor.enabled="false" \
+    --set deployment.externalJKS.enabled="true"
     ```
 
     !!! note "Use a custom docker image"
@@ -114,6 +163,24 @@ If you prefer to build the chart from the source, follow the steps below:
         --set deployment.image.digest=<digest> 
         ```
 
+## (Optional) Change of Keystore passwords
+
+Generate the keystore using the default password "wso2carbon". However, if you have used a different password, update the following configurations accordingly:
+
+```shell
+--set deploymentToml.keystore.internal.fileName="internal.p12" \
+--set deploymentToml.keystore.internal.password="<value>" \
+--set deploymentToml.keystore.internal.keyPassword="<value>" \
+--set deploymentToml.keystore.primary.fileName="primary.p12" \
+--set deploymentToml.keystore.primary.password="<value>" \
+--set deploymentToml.keystore.primary.keyPassword="<value>" \
+--set deploymentToml.keystore.tls.fileName="tls.p12" \
+--set deploymentToml.keystore.tls.password="<value>" \
+--set deploymentToml.keystore.tls.keyPassword="<value>" \
+--set deploymentToml.truststore.fileName="client-truststore.p12" \
+--set deploymentToml.truststore.password="<value>"
+```
+
 ## (Optional) Configure resource limits
 
 By default, WSO2 Identity Server requests and limits the following resources in your Kubernetes cluster:
@@ -153,10 +220,10 @@ If your Kubernetes cluster has limited resources, you can adjust these values wh
 
 ## Obtain the External IP
 
-After deploying WSO2 Identity Server, you need to find its external IP address to access it outside the cluster. Run the following command to list the Ingress resources in your namespace:
+After deploying WSO2 Identity Server, you need to find its external IP address to access it outside the cluster. Run the following command to list the ingress resources in your namespace:
 
 ```shell
-kubectl get ing -n "$NAMESPACE"
+kubectl get ing -n $NAMESPACE
 ```
 
 The output will contain the following columns:

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+{% include "../../../../includes/deploy/deploy-is-in-kubernetes.md" %}`