How can I replace certificates in an ITRS Analytics deployment?
For current KOTS-based ITRS Analytics deployments, TLS certificates are configured in the KOTS Admin Console rather than by manually updating Kubernetes resources.
Note
Beginning with ITRS Analytics version 2.8.x, the legacy manual certificate replacement steps are no longer relevant for KOTS-based deployments. TLS certificates are handled via KOTS.
KOTS-based deployments Copied
For KOTS-based deployments, manage TLS certificates through the KOTS Admin Console instead of manually updating Kubernetes resources.
In the TLS Certificates section of the KOTS Admin Console, you can choose whether to use self-signed certificates or provide your own custom, non-self-signed certificates.
- Self-signed certificates — If you keep the default option, ITRS Analytics automatically generates and manages the certificates.
- Custom ITRS Analytics certificates — To use non-self-signed TLS certificates for ITRS Analytics endpoints, select ITRS Analytics: custom certificates. This displays the certificate and key fields, where you can upload a PEM certificate file and the corresponding private TLS key.
- Custom Linkerd certificates — If
linkerdis enabled and you want to use custom certificates for the service mesh, select Linkerd: custom linkerd certificates. This displays the Linkerd certificate and key fields, where you must upload a PEM certificate file and the corresponding private TLS key.
Legacy manual instructions Copied
The following legacy instructions are preserved for record purposes. They do not apply to KOTS-based deployments beginning with ITRS Analytics version 2.8.x, where TLS certificates are handled via KOTS.
Create a new TLS secret Copied
Create a new Kubernetes secret containing your updated TLS certificate and private key. Run:
kubectl create secret tls apps-mysecret-tls --cert=fullchain.pem --key=privkey.pem -n itrs
Migrate from self-signed to signed certificates Copied
- Back up existing secrets and CAs.
kubectl get certificate obcerv-ca -o yaml -n itrs > ~/tmp/cert-old-cert.yaml
kubectl get secret -o yaml obcerv-ca -n itrs > ~/Desktop/cert-old-ca.yaml
kubectl get issuer -o yaml obcerv-issuer -n itrs > ~/Desktop/cert-old-issuer.yaml
- Edit the following in the
obcerv.yamlconfig.
tls:
external:
selfSigned: false
apps:
ingress:
tlsSecret: apps-mysecret-tls
ingestion:
ingress:
tlsSecret: apps-mysecret-tls
- Update the deployment.
helm upgrade -n itrs -f obcerv.yaml obcerv itrs/obcerv --version X.Y.Z
Rotate TLS certificates Copied
- Back up the existing secret.
kubectl get secret -o yaml apps-mysecret-tls -n itrs > old_cert-tls
- Delete the expired secret.
kubectl delete secret apps-mysecret-tls -n itrs
- Create the new secret.
kubectl create secret tls apps-mysecret-tls --cert=fullchain.pem --key=privkey.pem -n itrs
Update ingress TLS certificates without reconfiguration Copied
- Extract ingress definitions for
appsandingestionfrom the yaml files.
kubectl get ingress -o yaml apps -n itrs > apps.yaml
kubectl get ingress -o yaml ingestion -n itrs > ingestion.yaml
- Modify the yaml files and remove the following:
statussectionownerReferencessectionuidkeygenerationkeycreationTimestampkey
- In the
specsection, update the secret name to match the name of the new secret containing the updated certificate. Leave the hosts entries untouched.
App example:
spec:
tls:
hosts:
- <YOUR INGESTION ENDPOINT NAME (FQDN)>
secretName: apps-mysecret-tls
Ingestion example:
spec:
tls:
hosts:
- <YOUR INGESTION ENDPOINT NAME (FQDN)>
secretName: apps-mysecret-tls
- Apply the changes to your cluster.
kubectl apply -f apps.yaml -n itrs
kubectl apply -f ingestion.yaml -n itrs