Create a new self-signed certificate for authentication with Vespa Cloud data plane
Create a new self-signed certificate for authentication with Vespa Cloud data plane.
The private key and certificate will be stored in the Vespa CLI home directory (see 'vespa help config'). Other commands will then automatically load the certificate as necessary. The certificate will be added to your application package specified as an argument to this command (default '.').
It's possible to override the private key and certificate used through environment variables. This can be useful in continuous integration systems.
It's also possible override the CA certificate which can be useful when using self-signed certificates with a self-hosted Vespa service. See https://docs.vespa.ai/en/operations-selfhosted/mtls.html for more information.
Example of setting the CA certificate, certificate and key in-line:
export VESPA_CLI_DATA_PLANE_CA_CERT="my CA cert"
export VESPA_CLI_DATA_PLANE_CERT="my cert"
export VESPA_CLI_DATA_PLANE_KEY="my private key"
Example of loading CA certificate, certificate and key from custom paths:
export VESPA_CLI_DATA_PLANE_CA_CERT_FILE=/path/to/cacert
export VESPA_CLI_DATA_PLANE_CERT_FILE=/path/to/cert
export VESPA_CLI_DATA_PLANE_KEY_FILE=/path/to/key
Example of disabling verification of the server's certificate chain and hostname:
export VESPA_CLI_DATA_PLANE_TRUST_ALL=true
Note that when overriding key pair through environment variables, that key pair will always be used for all applications. It's not possible to specify an application-specific key.
See https://cloud.vespa.ai/en/security/guide for more details.
vespa auth cert [flags]
$ vespa auth cert
$ vespa auth cert -a my-tenant.my-app.my-instance
$ vespa auth cert -a my-tenant.my-app.my-instance path/to/application/package
-f, --force Force overwrite of existing certificate and private key
-h, --help help for cert
-N, --no-add Do not add certificate to the application package
-a, --application string The application to use (cloud only)
-C, --cluster string The container cluster to use. This is only required for applications with multiple clusters
-c, --color string Whether to use colors in output. Must be "auto", "never", or "always" (default "auto")
-i, --instance string The instance of the application to use (cloud only)
-q, --quiet Print only errors
-t, --target string The target platform to use. Must be "local", "cloud", "hosted" or an URL (default "local")
-z, --zone string The zone to use. This defaults to a dev zone (cloud only)