How to Manage Certificates and HTTPS in Kubernetes Deployments of FME Flow

Introduction

When FME Flow (formerly FME Server) is deployed with Kubernetes it comes with a self signed certificate by default.

This is not recommended in production workflows, and many organizations will want to use their own certificate. There are two options for doing this:

1. Deploying FME Flow in Kubernetes with a Custom Certificate
2. Using a Third-party Load Balancer with TLS Termination

Deploying FME Flow in Kubernetes with a Custom Certificate

Our documentation provides instructions on uploading the certificate to the cluster and referencing it in the helm install command.

Note: We do not manage the certificate manager directly for customers, however, for the order of things to deploy/install, the nginx-ingress should be deployed first, then the cert-manager and then the issuer. Once all that is running, then FME Flow should be deployed last. The cert-manager and issuer are all done separately from deploying FME Flow.

Using a Third-party Load Balancer with TLS Termination

Customers may wish to use their own load balancer on top of the Kubernetes cluster. In this case, they may want FME Flow to be installed without SSL. The certificate will terminate at the load balancer.

To do this, the parameter deployment.disableTLS can be set to ‘true’ (the default value is false). The list of parameters and default values is on GitHub.