Merge pull request #2995 from replicatedhq/118932

paigecalvert · web-flow · commit 08a9fa28e276 · 2025-01-31T13:32:10.000-07:00
Add docs for updating tls certs in EC installs
diff --git a/docs/enterprise/embedded-tls-certs.mdx b/docs/enterprise/embedded-tls-certs.mdx
@@ -0,0 +1,47 @@
+# Updating Custom TLS Certificates in Embedded Cluster Installations
+
+This topic describes how to update custom TLS certificates in Replicated Embedded Cluster installations.
+
+## Update Custom TLS Certificates
+
+Users can provide custom TLS certificates with Embedded Cluster installations and can update TLS certificates through the Admin Console.
+
+:::important
+Adding the `acceptAnonymousUploads` annotation temporarily creates a vulnerability for an attacker to maliciously upload TLS certificates. After TLS certificates have been uploaded, the vulnerability is closed again.
+
+Replicated recommends that you complete this upload process quickly to minimize the vulnerability risk.
+:::
+
+To upload a new custom TLS certificate in Embedded Cluster installations:
+
+1. SSH onto a controller node where Embedded Cluster is installed. Then, run the following command to start a shell so that you can access the cluster with kubectl:
+
+   ```bash
+   sudo ./APP_SLUG shell
+   ```
+   Where `APP_SLUG` is the unique slug of the installed application.
+
+1. In the shell, run the following command to restore the ability to upload new TLS certificates by adding the `acceptAnonymousUploads` annotation:
+
+   ```bash
+   kubectl -n kotsadm annotate secret kotsadm-tls acceptAnonymousUploads=1 --overwrite
+   ```
+
+1. Run the following command to get the name of the kurl-proxy server:
+
+   ```bash
+   kubectl get pods -A | grep kurl-proxy | awk '{print $2}'
+   ```
+   :::note
+   This server is named `kurl-proxy`, but is used in both Embedded Cluster and kURL installations.
+   :::
+
+1. Run the following command to delete the kurl-proxy pod. The pod automatically restarts after the command runs.
+
+   ```bash
+   kubectl delete pods PROXY_SERVER
+   ```
+
+   Replace `PROXY_SERVER` with the name of the kurl-proxy server that you got in the previous step.
+
+1. After the pod has restarted, go to `http://<ip>:30000/tls` in your browser and complete the process in the Admin Console to upload a new certificate.
diff --git a/sidebars.js b/sidebars.js
@@ -245,6 +245,7 @@ const sidebars = {
         },
         'enterprise/embedded-manage-nodes',
         'enterprise/updating-embedded',
+        'enterprise/embedded-tls-certs',
         'vendor/embedded-disaster-recovery',
       ],
     },
