Prerequisites
Hardware requirements
Standard deployments require a cluster of three nodes. Each node serves as both a controlling node and a worker node. Minimum hardware requirements for each node in the cluster are:
CPU: 8
RAM: 32 GB
Processor speed: 2.5 GHz+
Hard disk: 100GB+
MariaDB
An open-source relational database. Download the latest version at https://mariadb.com/kb/en/what-is-mariadb-106/.
Version 10.6
If using a Galera cluster, DigiCert recommends using MaxScale to connect.
Docker
Docker Community Edition
Version 20.x
Configure HTTP proxies (optional)
Internet access is required during installation. If your servers require a proxy to reach the internet, they will need to be configured in three different places:
Yum
If using yum to install Docker it will need to be configured to use an HTTP proxy. Reference: https://www.linuxtechi.com/proxy-settings-yum-command-on-rhel-centos-servers/
Helm
Helm will require the servers to have the standard operating system configured HTTP proxies defined in the environment variables. You can follow these links for details on how to set up the environment variables:
Docker
Docker must be configured to use a proxy. Reference: https://docs.docker.com/config/daemon/systemd/#httphttps-proxy
Tipp
Ensure that the variables are setup permanently (such as adding them to the
.bashrc
file for the user in Add SSH Key step and not just for the logged in session.
URLs
You must have access to these URLs from DigiCert ONE:
https://storage.googleapis.com
https://k8s.io
https://Kubernetes.io
https://rancher.com
https://helm.sh
https://github.com
Client workstation
A client workstation is required to install, configure, and deploy applications on the target virtual machines.
We recommend using Linux, though MacOS Mojave is supported.
Linux (CentOS Linux 7 x86_84, RHEL 8, or Ubuntu 10 recommended)
MacOS Mojave
Windows (using Cygwin)
To install, configure, and deploy applications on a Kubernetes cluster, you must install three client tools on the client computer. Download the appropriate tools for the chosen client workstation platform.
Kubernetes
A command-line tool for running commands against Kubernetes clusters.
Helm
A command-line tool for installing applications in Kubernetes clusters.
Install v3.x
Installation - https://helm.sh/docs/intro/install/
Rancher Kubernetes Engine (RKE)
Command line tool for installing Rancher Kubernetes Engine (RKE): Each version of RKE has a specific list of supported Kubernetes versions. Use the version that supports Kubernetes version <= 1.21.x
RKE versions: https://github.com/rancher/rke/releases
RKE Kubernetes Installation instructions: https://rancher.com/docs/rke/latest/en/installation/
Ports
For all DigiCert ONE configurations, you must open these ports:
Port 80: For HTTP (unencrypted traffic)
Port 443: For HTTPS (encrypted traffic)
Other ports you need to open depend on how you have configured RKE, MariaDB, and other DigiCert ONE dependencies. For more information, refer to the product documentation for these services.
DNS entries
This table describes the DNS entries you need to configure to allow access to DigiCert ONE services.
All DNS entries* should be set to be either external (if your instance of DigiCert ONE is meant to be publicly available on the internet) or internal (if you are installing DigiCert ONE is an isolated, air-gapped network).
DNS entry | Example | Description |
---|---|---|
<your_domain> | one.digicert.com | Main FQDN to access your DigiCert ONE installation. |
clientauth.<your_domain> | clientauth.one.digicert.com | FQDN for client certificate authentication. |
crl.<your_domain> | crl.one.digicert.com | FQDN used by the DigiCert ONE certificate revocation list (CRL) service. |
ocsp.<your_domain> | ocsp.one.digicert.com | FQDN used by the DigiCert ONE online certificate status protocol (OCSP) service. |
cacerts.<your_domain> | cacerts.one.digicert.com | FQDN used by the DigiCert ONE Authority Information Access (AIA) service. |
mgmt.<your_domain>* | mgmt.one.digicert.com | Optional. FQDN for RKE Manager. |
maxscale-mgmt.<your_domain>* | maxscale-mgmt.<your_domain> | Optional. FQDN for MariaDB MaxScale GUI dashboard. |
Anmerkung
The DNS entries for mgmt.<your_domain> and maxscale-mgmt.<your_domain> should always be set to be internal.