Deploy non-self-signed TLS certificates for production usage
Important
This information refers to the previous helm install method for the ITRS Analytics Platform. If you are looking to install using the more streamlined Kubernetes Off-the-Shelf (KOTS) method, see the updated installation overview.
A typical reconfiguration scenario involves transitioning ITRS Analytics ingresses from using self-signed to non-self-signed TLS certificates before rolling out to production.
Before performing the steps below, it is assumed that you have already installed an ITRS Analytics instance and configured it to use cert-manager to generate self-signed certificates.
-
Confirm that your Ingresses are currently using self-signed certificates.
Assuming your DNS names are set up as follows:
apps: externalHostname: www.obcerv.local ingestion: externalHostname: ingestion.obcerv.local
Run the following commands to verify that you are currently using self-signed certificates:
%> curl -vk https://www.obcerv.local %> curl -vk https://www.obcerv.local/auth %> curl -vk https://ingestion.obcerv.local
Check that the output contains lines similar to these:
* Server certificate: * subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate * start date: Apr 4 11:00:06 2023 GMT * expire date: Apr 3 11:00:06 2024 GMT * issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
-
Create a new TLS secret of type
kubernetes.io/tls
:%> kubectl create secret tls my-secret --cert=<full chain PEM file> --key=<private key PEM file> -n itrs
-
Edit the configuration:
tls: external: selfSigned: false apps: ingress: tlsSecret: my-secret ingestion: ingress: tlsSecret: my-secret
-
Back up existing objects:
%> kubectl get certificate obcerv-ca -o yaml -n <namespace> > /path/to/backup/old-cert.yaml %> kubectl get secret -o yaml obcerv-ca -n <namespace> > /path/to/backup/old-ca.yaml %> kubectl get issuer -o yaml obcerv-issuer -n <namespace> > /path/to/backup/old-issuer.yaml
-
Reconfigure:
%> helm upgrade -n <namespace> -f obcerv.yaml obcerv itrs/obcerv --version <currently-installed-version>
-
Check that new TLS certificate is in use:
%> curl -vk https://www.obcerv.local %> curl -vk https://www.obcerv.local/auth %> curl -vk https://ingestion.obcerv.local
The output should show a subject, expiration date, and issuer matching your TLS certificate.
-
Delete the old self-signed CA secret used by the Web Console
The
obcerv-ca
secret is created by the ITRS Analytics Operator when installing using self-signed certificates and contains ITRS Analytics’s full trust chain displayed by the Web Console in order to facilitate the connection of data sources (like Geneos) to ITRS Analytics.That secret now contains outdated certificates and needs to be deleted before optionally being re-created (see next step).
%> kubectl delete secret obcerv-ca -n <namespace>
-
(Optional) Re-create the CA secret used by the Web Console:
The
obcerv-ca
secret is useful if you need the Web Console to display ITRS Analytics’s full trust chain to facilitate TLS connections to ITRS Analytics.Note
If you are connecting a Geneos Gateway to ITRS Analytics, this is only required if none of the following applies:
- The Gateway version is at least 6.1.0 and the Gateway is configured to skip the verification of the ITRS Analytics certificate.
- The ITRS Analytics certificate is signed by a CA already trusted by the Gateway.
First, recreate the
obcerv-ca
secret with the new chain:%> kubectl create secret generic obcerv-ca --from-file=<CA cert PEM file>=<full chain PEM file> -n <namespace>
Then restart the Web Console to pick up the change:
%> kubectl delete pod -n <namespace> obcerv-app-webconsole
Wait for the Web Console pod to start, then log in and confirm that the new trust chain is displayed.