Skip to content

Add docs for updating tls certs in EC installs #2995

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Jan 31, 2025
Merged

Add docs for updating tls certs in EC installs #2995

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
11a4f2f
Add steps for updating tls certs in ec clusters
paigecalvert Jan 23, 2025
80e4954
edits
paigecalvert Jan 24, 2025
11cf14e
undo unrelated change
paigecalvert Jan 24, 2025
0eb80ca
updated ns
paigecalvert Jan 27, 2025
52d9071
remove overview
paigecalvert Jan 31, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions docs/enterprise/embedded-tls-certs.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# Updating Custom TLS Certificates in Embedded Cluster Installations

This topic describes how to update custom TLS certificates in Replicated Embedded Cluster installations.

## Update Custom TLS Certificates

Users can provide custom TLS certificates with Embedded Cluster installations and can update TLS certificates through the Admin Console.

:::important
Adding the `acceptAnonymousUploads` annotation temporarily creates a vulnerability for an attacker to maliciously upload TLS certificates. After TLS certificates have been uploaded, the vulnerability is closed again.

Replicated recommends that you complete this upload process quickly to minimize the vulnerability risk.
:::

To upload a new custom TLS certificate in Embedded Cluster installations:

1. SSH onto a controller node where Embedded Cluster is installed. Then, run the following command to start a shell so that you can access the cluster with kubectl:

```bash
sudo ./APP_SLUG shell
```
Where `APP_SLUG` is the unique slug of the installed application.

1. In the shell, run the following command to restore the ability to upload new TLS certificates by adding the `acceptAnonymousUploads` annotation:

```bash
kubectl -n kotsadm annotate secret kotsadm-tls acceptAnonymousUploads=1 --overwrite
```

1. Run the following command to get the name of the kurl-proxy server:

```bash
kubectl get pods -A | grep kurl-proxy | awk '{print $2}'
```
:::note
This server is named `kurl-proxy`, but is used in both Embedded Cluster and kURL installations.
:::

1. Run the following command to delete the kurl-proxy pod. The pod automatically restarts after the command runs.

```bash
kubectl delete pods PROXY_SERVER
```

Replace `PROXY_SERVER` with the name of the kurl-proxy server that you got in the previous step.

1. After the pod has restarted, go to `http://<ip>:30000/tls` in your browser and complete the process in the Admin Console to upload a new certificate.
1 change: 1 addition & 0 deletions sidebars.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -243,6 +243,7 @@ const sidebars = {
},
'enterprise/embedded-manage-nodes',
'enterprise/updating-embedded',
'enterprise/embedded-tls-certs',
'vendor/embedded-disaster-recovery',
],
},
Expand Down