Back to ITRS Analytics FAQ

How do I update custom TLS certificates for the Admin Console in Embedded Cluster installations?

In Embedded Cluster installations, you can provide custom TLS certificates during installation and update them later through the Admin Console. To upload a replacement certificate, you must temporarily enable anonymous TLS uploads on the cluster using kubectl.

Caution

Adding the acceptAnonymousUploads annotation temporarily allows unauthorized TLS certificate uploads to the Admin Console. Once the new certificate is uploaded, this exposure is closed again. Complete the upload process quickly to minimize the security risk.

Procedure Copied

  1. SSH to a controller node where Embedded Cluster is installed. Run the following command to open a shell with kubectl access:

    sudo ./itrs-analytics shell

    Example:

    [dev@host iax]$ sudo ./itrs-analytics shell

    __4___
 _  \ \ \ \   Welcome to itrs-analytics debug shell.
<'\ /_/_/_/   This terminal is now configured to access your cluster.
 ((____!___/) Type 'exit' (or Ctrl+D) to exit.
  \0\0\0\0\/
 ~~~~~~~~~~~
[dev@host iax]# export KUBECONFIG="/var/lib/embedded-cluster/k0s/pki/admin.conf"
[dev@host iax]# export PATH="$PATH:/var/lib/embedded-cluster/bin"
[dev@host iax]#

  2. In the shell, add the acceptAnonymousUploads annotation to re-enable TLS certificate uploads:

    kubectl -n kotsadm annotate secret kotsadm-tls acceptAnonymousUploads=1 --overwrite

  3. Get the name of the kurl-proxy pod:

    kubectl get pods -A | grep kurl-proxy | awk '{print $2}'

    Example:

    [dev@host iax]# kubectl get pods -A | grep kurl-proxy | awk '{print $2}'
kurl-proxy-kotsadm-6bfbbbb5c5-8n2mw

  4. Delete the kurl-proxy pod so it restarts and picks up the annotation. Kubernetes recreates the pod automatically.

    kubectl delete pod PROXY_SERVER -n kotsadm

    Replace PROXY_SERVER with the pod name from the previous step.

    Example:

    [dev@host iax]# kubectl delete pod kurl-proxy-kotsadm-6bfbbbb5c5-8n2mw -n kotsadm
pod "kurl-proxy-kotsadm-6bfbbbb5c5-8n2mw" deleted

  5. After the pod restarts, open http://<ip>:30000/tls in your browser. Replace <ip> with the IP address of your controller node, then complete the certificate upload in the Admin Console.

    ITRS Analytics - Update Custom TLS Certificates of ITRS Analytics Admin Console in Embedded Cluster Installations

["Geneos"] ["FAQ"]

Was this topic helpful?