Articles in this section

See more
Self help
FAQ
["FAQ"]

ITRS Analytics - Update Custom TLS Certificates of ITRS Analytics Admin Console in Embedded Cluster Installations

Avatar
ITRS Support
  • Updated
Follow

Users can provide custom TLS certificates with Embedded Cluster installations and can update TLS certificates through the Admin Console.

Important

Adding the acceptAnonymousUploads annotation temporarily creates a vulnerability for an attacker to maliciously upload TLS certificates. After TLS certificates have been uploaded, the vulnerability is closed again. Replicated recommends that you complete this upload process quickly to minimize the vulnerability risk.

 

To upload a new custom TLS certificate in Embedded Cluster installations:

  1. SSH onto a controller node where Embedded Cluster is installed. Then, run the following command to start a shell so that you can access the cluster with kubectl:
    sudo ./itrs-analytics shell
    Example:
    [dev@host iax]$ sudo ./itrs-analytics shell

    __4___
 _  \ \ \ \   Welcome to itrs-analytics debug shell.
<'\ /_/_/_/   This terminal is now configured to access your cluster.
 ((____!___/) Type 'exit' (or Ctrl+D) to exit.
  \0\0\0\0\/
 ~~~~~~~~~~~
[dev@host iax]# export KUBECONFIG="/var/lib/embedded-cluster/k0s/pki/admin.conf"
[dev@host iax]# export PATH="$PATH:/var/lib/embedded-cluster/bin"
[dev@host iax]#
     
  2. In the shell, run the following command to restore the ability to upload new TLS certificates by adding the acceptAnonymousUploads annotation:
    kubectl -n kotsadm annotate secret kotsadm-tls acceptAnonymousUploads=1 --overwrite
     
  3. Run the following command to get the name of the kurl-proxy server:
    kubectl get pods -A | grep kurl-proxy | awk '{print $2}'
    Example:
    [dev@host iax]# kubectl get pods -A | grep kurl-proxy | awk '{print $2}'
kurl-proxy-kotsadm-6bfbbbb5c5-8n2mw

  4. Run the following command to delete the kurl-proxy pod. The pod automatically restarts after the command runs.

    kubectl delete pods PROXY_SERVER
    Replace PROXY_SERVER with the name of the kurl-proxy server that you got in the previous step.

    Example:

    [dev@host iax]# kubectl delete pod kurl-proxy-kotsadm-6bfbbbb5c5-8n2mw -n kotsadm
pod "kurl-proxy-kotsadm-6bfbbbb5c5-8n2mw" deleted
  5. After the pod has restarted, go to http://<ip>:30000/tls in your browser and complete the process in the Admin Console to upload a new certificate.

Admin Console TLS screen:

Comments

0 comments

Please sign in to leave a comment.