edits

Author: paigecalvert

docs/enterprise/embedded-tls-certs.mdx

@@ -0,0 +1,51 @@
+# Updating Custom TLS Certificates in Embedded Cluster Installations
+
+This topic describes how to update custom TLS certificates in Replicated Embedded Cluster installations.
+
+## Overview
+
+For Embedded Cluster installations, the default Replicated KOTS self-signed certificate automatically renews 30 days before the expiration date.
+
+If a custom TLS certificate is used instead, then no renewal is attempted, even if the certificate is expired. In this case, users can manually upload a new custom certificate from the KOTS Admin Console when the certificate expires.
+
+## Update Custom TLS Certificates
+
+:::important
+Adding the `acceptAnonymousUploads` annotation temporarily creates a vulnerability for an attacker to maliciously upload TLS certificates. After TLS certificates have been uploaded, the vulnerability is closed again.
+
+Replicated recommends that you complete this upload process quickly to minimize the vulnerability risk.
+:::
+
+To upload a new custom TLS certificate in Embedded Cluster installations:
+
+1. SSH onto a controller node where Embedded Cluster is installed. Then, run the following command to start a shell so that you can access the cluster with kubectl:
+
+   ```bash
+   sudo ./APP_SLUG shell
+   ```
+   Where `APP_SLUG` is the unique slug of the installed application.
+
+1. In the shell, run the following command to restore the ability to upload new TLS certificates by adding the `acceptAnonymousUploads` annotation:
+
+   ```bash
+   kubectl -n default annotate secret kotsadm-tls acceptAnonymousUploads=1 --overwrite
+   ```
+
+1. Run the following command to get the name of the kurl-proxy server:
+
+   ```bash
+   kubectl get pods -A | grep kurl-proxy | awk '{print $2}'
+   ```
+   :::note
+   This server is named `kurl-proxy`, but is used in both Embedded Cluster and kURL installations.
+   :::
+
+1. Run the following command to delete the kurl-proxy pod. The pod automatically restarts after the command runs.
+
+   ```bash
+   kubectl delete pods PROXY_SERVER
+   ```
+
+   Replace `PROXY_SERVER` with the name of the kurl-proxy server that you got in the previous step.
+
+1. After the pod has restarted, go to `http://<ip>:30000/tls` in your browser and complete the process in the Admin Console to upload a new certificate.

docs/enterprise/updating-embedded.mdx

@@ -4,7 +4,7 @@ import UpdateAirGapOverview from "../partials/embedded-cluster/_update-air-gap-o
 import DoNotDowngrade from "../partials/embedded-cluster/_warning-do-not-downgrade.mdx"
 import Overview from "../partials/embedded-cluster/_update-overview.mdx"
 
-# Performing Updates in Embedded Clusters
+# Performing Updates with Embedded Cluster
 
 This topic describes how to perform updates for [Replicated Embedded Cluster](/vendor/embedded-overview) installations.
 

docs/vendor/embedded-tls-certs.mdx

@@ -243,6 +243,7 @@ const sidebars = {
         },
         'enterprise/embedded-manage-nodes',
         'enterprise/updating-embedded',
+        'enterprise/embedded-tls-certs',
         'vendor/embedded-disaster-recovery',
       ],
     },