Updating Custom TLS Certificates in Embedded Cluster Installations
This topic describes how to update custom TLS certificates in Replicated Embedded Cluster installations.
Update Custom TLS Certificates
Users can provide custom TLS certificates with Embedded Cluster installations and can update TLS certificates through the Admin Console.
Adding the acceptAnonymousUploads annotation temporarily creates a vulnerability for an attacker to maliciously upload TLS certificates. After TLS certificates have been uploaded, the vulnerability is closed again.
Replicated recommends that you complete this upload process quickly to minimize the vulnerability risk.
To upload a new custom TLS certificate in Embedded Cluster installations:
-
SSH onto a controller node where Embedded Cluster is installed. Then, run the following command to start a shell so that you can access the cluster with kubectl:
sudo ./APP_SLUG shellWhere
APP_SLUGis the unique slug of the installed application. -
In the shell, run the following command to restore the ability to upload new TLS certificates by adding the
acceptAnonymousUploadsannotation:kubectl -n kotsadm annotate secret kotsadm-tls acceptAnonymousUploads=1 --overwrite -
Run the following command to get the name of the kurl-proxy server:
kubectl get pods -A | grep kurl-proxy | awk '{print $2}'noteThis server is named
kurl-proxy, but is used in both Embedded Cluster and kURL installations. -
Run the following command to delete the kurl-proxy pod. The pod automatically restarts after the command runs.
kubectl delete pods PROXY_SERVERReplace
PROXY_SERVERwith the name of the kurl-proxy server that you got in the previous step. -
After the pod has restarted, go to
http://<ip>:30000/tlsin your browser and complete the process in the Admin Console to upload a new certificate.