TLS / HTTPS

Both the AI Optimizer Server (FastAPI/uvicorn) and Client (Streamlit) can be configured to serve over HTTPS instead of plain HTTP.

Server

The server TLS environment variables are documented in the Server section of the Configuration page.

Self-Signed Certificate (Quick Start)

The simplest way to enable HTTPS is to set AIO_SERVER_SSL=true without providing certificate files. The entrypoint will automatically generate a self-signed certificate at startup:

# In .env.dev (or .env.prd, etc.)
AIO_SERVER_SSL=true

These variables can also be exported directly in the shell before running the entrypoint.

Then start the server:

./src/entrypoint.py server

The generated certificate and key are stored in tmp/ssl/ (relative to the src/ directory) and are reused across restarts.

User-Provided Certificates

For production or corporate environments where a trusted certificate authority (CA) is available, provide the paths to the certificate and key files:

# In .env.dev (or .env.prd, etc.)
AIO_SERVER_SSL=true
AIO_SERVER_SSL_CERT_FILE=/path/to/cert.pem
AIO_SERVER_SSL_KEY_FILE=/path/to/key.pem

These variables can also be exported directly in the shell before running the entrypoint.

Then start the server:

./src/entrypoint.py server

The certificate should be PEM-encoded and may include intermediate CA certificates in the chain.

Helm Chart

When deploying with the Helm chart, set server.ssl.enabled to true. This automatically sets the AIO_SERVER_SSL environment variable on the pod and switches the health probes to HTTPS.

To use auto-generated self-signed certificates (simplest option):

server:
  ssl:
    enabled: true

To use certificates from a Kubernetes Secret, provide certFile/keyFile paths and mount the Secret into the container:

server:
  ssl:
    enabled: true
    certFile: "/app/tls/cert.pem"
    keyFile: "/app/tls/key.pem"

  volumes:
    - name: tls
      secret:
        secretName: server-tls

  volumeMounts:
    - name: tls
      mountPath: "/app/tls"
      readOnly: true

Client

The client TLS environment variables are documented in the Client section of the Configuration page.

Self-Signed Certificate (Quick Start)

The simplest way to enable HTTPS is to set AIO_CLIENT_SSL=true without providing certificate files. The entrypoint will automatically generate a self-signed certificate at startup:

# In .env.dev (or .env.prd, etc.)
AIO_CLIENT_SSL=true

These variables can also be exported directly in the shell before running the entrypoint.

Then start the client:

./src/entrypoint.py client

The generated certificate and key are stored in tmp/ssl/ (relative to the src/ directory) and are reused across restarts.

User-Provided Certificates

For production or corporate environments where a trusted certificate authority (CA) is available, provide the paths to the certificate and key files:

# In .env.dev (or .env.prd, etc.)
AIO_CLIENT_SSL=true
AIO_CLIENT_SSL_CERT_FILE=/path/to/cert.pem
AIO_CLIENT_SSL_KEY_FILE=/path/to/key.pem

These variables can also be exported directly in the shell before running the entrypoint.

Then start the client:

./src/entrypoint.py client

The certificate should be PEM-encoded and may include intermediate CA certificates in the chain.

Helm Chart

When deploying with the Helm chart, set client.ssl.enabled to true. This automatically sets the AIO_CLIENT_SSL environment variable on the pod and switches the health probes to HTTPS.

To use auto-generated self-signed certificates (simplest option):

client:
  ssl:
    enabled: true

To use certificates from a Kubernetes Secret, provide certFile/keyFile paths and mount the Secret into the container:

client:
  ssl:
    enabled: true
    certFile: "/app/tls/cert.pem"
    keyFile: "/app/tls/key.pem"

  volumes:
    - name: tls
      secret:
        secretName: client-tls

  volumeMounts:
    - name: tls
      mountPath: "/app/tls"
      readOnly: true