How can I replace certificates in an ITRS Analytics deployment?

Replacing certificates in an ITRS Analytics deployment within Kubernetes is a process that covers initially configuring signed certificates, replacing certificates due to expiration, and bypassing a method that avoids full reconfiguration.

Create a new TLS secret Copied

Create a new Kubernetes secret containing your updated TLS certificate and private key. Run:

kubectl create secret tls apps-mysecret-tls --cert=fullchain.pem --key=privkey.pem -n itrs

Migrate from self-signed to signed certificates Copied

  1. Back up existing secrets and CAs.
kubectl get certificate obcerv-ca -o yaml -n itrs > ~/tmp/cert-old-cert.yaml
kubectl get secret -o yaml obcerv-ca -n itrs > ~/Desktop/cert-old-ca.yaml
kubectl get issuer -o yaml obcerv-issuer -n itrs > ~/Desktop/cert-old-issuer.yaml
  1. Edit the following in the obcerv.yaml config.
tls:
  external:
    selfSigned: false
apps:
  ingress:
    tlsSecret: apps-mysecret-tls
ingestion:
  ingress:
    tlsSecret: apps-mysecret-tls
  1. Update the deployment.
helm upgrade -n itrs -f obcerv.yaml obcerv itrs/obcerv --version X.Y.Z

Rotate TLS certificates Copied

  1. Back up the existing secret.
kubectl get secret -o yaml apps-mysecret-tls -n itrs > old_cert-tls
  1. Delete the expired secret.
kubectl delete secret apps-mysecret-tls -n itrs
  1. Create the new secret.
kubectl create secret tls apps-mysecret-tls --cert=fullchain.pem --key=privkey.pem -n itrs

Update ingress TLS certificates without reconfiguration Copied

  1. Extract ingress definitions for apps and ingestion from the yaml files.
kubectl get ingress -o yaml apps -n itrs > apps.yaml
kubectl get ingress -o yaml ingestion -n itrs > ingestion.yaml
  1. Modify the yaml files and remove the following:
  1. In the spec section, update the secret name to match the name of the new secret containing the updated certificate. Leave the hosts entries untouched.

App example:

spec:
  tls:
    hosts:
      - <YOUR INGESTION ENDPOINT NAME (FQDN)>
    secretName: apps-mysecret-tls

Ingestion example:

spec:
  tls:
    hosts:
      - <YOUR INGESTION ENDPOINT NAME (FQDN)>
    secretName: apps-mysecret-tls
  1. Apply the changes to your cluster.
kubectl apply -f apps.yaml -n itrs
kubectl apply -f ingestion.yaml -n itrs
["ITRS Analytics"] ["FAQ"]

Was this topic helpful?