diff --git a/docs/tutorials/2.devops/1.configuration/0.configuration-guide.md b/docs/tutorials/2.devops/1.configuration/0.configuration-guide.md index b827b1a65..912731c9a 100644 --- a/docs/tutorials/2.devops/1.configuration/0.configuration-guide.md +++ b/docs/tutorials/2.devops/1.configuration/0.configuration-guide.md @@ -22,12 +22,48 @@ This instruction assumes that you are installing and configuring applications us ## General method of configuration -AI DIAL helm chart contains various applications, and, to configure them, it is necessary to make corresponding changes to different sections of the **values** file. +DIAL helm chart contains various applications, and, to configure them, it is necessary to make corresponding changes to different sections of the **values** file. -To add environment variables to AI DIAL application, you can use either `env` or `secrets` section in specific components, e.g `core.env`, `openai.secrets` +To add environment variables to a DIAL application, you can use either `env` or `secrets` section in specific components, e.g `core.env`, `openai.secrets` > Refer to the [helm chart repository](https://github.com/epam/ai-dial-helm/tree/main/charts/dial/examples) to view selected configuration examples. +### Enabling Support for Private Certificate Authority or Self-Signed Certificate + +Java-based and NodeJS-based DIAL components require different configurations to support private CA or self-signed certificates. + +#### NodeJS-based components + +For DIAL frontend components such as [DIAL Chat](https://github.com/epam/ai-dial-chat/blob/development/apps/chat/README.md) or [DIAL Admin frontend](https://github.com/epam/ai-dial-admin-frontend), set the `NODE_TLS_REJECT_UNAUTHORIZED` environment variable to allow connections to servers with self-signed or private CA certificates: + +```bash +NODE_TLS_REJECT_UNAUTHORIZED: 0 +``` +> **Warning**: Setting `NODE_TLS_REJECT_UNAUTHORIZED=0` disables certificate validation for all outgoing HTTPS requests. Use this setting only in trusted environments, such as development or testing, as it introduces security risks in production. + +#### Java-based components + +This configuration applies to Java-based components such as [DIAL Core](https://github.com/epam/ai-dial-core), [DIAL Admin backend](https://github.com/epam/ai-dial-admin-backend), or any component using the `eclipse-temurin` Docker image as a base. This image includes a script to enable the use of self-signed or private CA certificates. + +To enable support for self-signed or private CA certificates: + +* Set the `USE_SYSTEM_CA_CERTS` environment variable to `true`. +* Mount your private certificate(s) into the `/certificates` directory inside the container. + +Example Docker Compose configuration for DIAL Admin backend: + +```bash +admin-backend: + image: ghcr.io/epam/ai-dial-admin-backend:latest + environment: + [redacted] + USE_SYSTEM_CA_CERTS: true + volumes: + /opt/ssl/YOUR_NON_PUBLIC_CERTIFICATE.crt:/certificates/YOUR_NON_PUBLIC_CERTIFICATE.crt +``` + +> **Note**: Replace `YOUR_NON_PUBLIC_CERTIFICATE.crt` with the actual filename of your certificate. Ensure that the certificate file(s) you mount are in PEM (Privacy Enhanced Mail) format (`.crt`). Multiple certificates can be mounted if needed. + ## Core Parameters > Refer to the [AI DIAL Core](https://github.com/epam/ai-dial-core) to view a complete documentation.