Users can provide custom TLS certificates with Embedded Cluster installations and can update TLS certificates through the Admin Console.
Important
Adding the acceptAnonymousUploads
annotation temporarily creates a vulnerability for an attacker to maliciously upload TLS certificates. After TLS certificates have been uploaded, the vulnerability is closed again. Replicated recommends that you complete this upload process quickly to minimize the vulnerability risk.
To upload a new custom TLS certificate in Embedded Cluster installations:
- SSH onto a controller node where Embedded Cluster is installed. Then, run the following command to start a shell so that you can access the cluster with kubectl:
sudo ./itrs-analytics shell
Example:[dev@host iax]$ sudo ./itrs-analytics shell __4___ _ \ \ \ \ Welcome to itrs-analytics debug shell. <'\ /_/_/_/ This terminal is now configured to access your cluster. ((____!___/) Type 'exit' (or Ctrl+D) to exit. \0\0\0\0\/ ~~~~~~~~~~~ [dev@host iax]# export KUBECONFIG="/var/lib/embedded-cluster/k0s/pki/admin.conf" [dev@host iax]# export PATH="$PATH:/var/lib/embedded-cluster/bin" [dev@host iax]#
- In the shell, run the following command to restore the ability to upload new TLS certificates by adding the
acceptAnonymousUploads
annotation:kubectl -n kotsadm annotate secret kotsadm-tls acceptAnonymousUploads=1 --overwrite
- Run the following command to get the name of the kurl-proxy server:
kubectl get pods -A | grep kurl-proxy | awk '{print $2}'
Example:[dev@host iax]# kubectl get pods -A | grep kurl-proxy | awk '{print $2}' kurl-proxy-kotsadm-6bfbbbb5c5-8n2mw
Run the following command to delete the kurl-proxy pod. The pod automatically restarts after the command runs.
kubectl delete pods PROXY_SERVER
ReplacePROXY_SERVER
with the name of the kurl-proxy server that you got in the previous step.Example:
[dev@host iax]# kubectl delete pod kurl-proxy-kotsadm-6bfbbbb5c5-8n2mw -n kotsadm pod "kurl-proxy-kotsadm-6bfbbbb5c5-8n2mw" deleted
- After the pod has restarted, go to
http://<ip>:30000/tls
in your browser and complete the process in the Admin Console to upload a new certificate.
Admin Console TLS screen:
Comments
0 comments
Please sign in to leave a comment.