hello, I would like to know if there is another way to renew a TSL certificate used to access IFS without reinstalling the entire kubernetes cluster?
Hi Regis,
- Prepare an updated TLS certificate.
- Copy the new TLS certificate to ifsroot\config\certs.
- Open ifsroot\config\ifscloud-values.yaml.
- Update and verify "certificateFile" and "certificatePassword" as appropriate.
- Rerun mtinstaller action.
installer.cmd --set action=mtinstaller
Then verify the certificate validity dates. An example with openssl:
openssl s_client -connect <url>:443 | openssl x509 -noout -dates
Best regards -- Ben
Follow the below mention instruction to verify all the certificates related to microk8s.
- Login to middleware server of the environment (SSH)
- Check if certificates are available in below path
- /var/snap/microk8s/current/certs
- Now enter below command to all .crt files
- openssl x509 -in <.crt path>/<crt name>.crt -noout -enddate
The ingress certificate on the system_url can be changed with the normal ifsinstaller/installer - make sure all pods are restarted afterwards - also make sure ifs-monitoring is deinstalled first and then reapplied afterwards….
The k8s API certificate will as far as i know require a reinstall of the cluster (I have tried the instructions from microk8s which failed for me). A reinstall is also required to be on the later versions of k8s - which is desirable from a security patching perspective, A k8s cluster will need patching (reinstall) at least yearly and then the cert expiry is not an issue anymore. :)
Hi,
I folowed these steps but it doesn’t work:
- Prepare an updated TLS certificate.
- Copy the new TLS certificate to ifsroot\config\certs.
- Open ifsroot\config\ifscloud-values.yaml.
- Update and verify "certificateFile" and "certificatePassword" as appropriate.
- Rerun mtinstaller action.
installer.cmd --set action=mtinstaller
The secret is not updated, maybe I need to delete it first ? ifs-ingress.crt secret
Have you restarted the ingress pods as well?
kubectl delete pod ingress-ingress-nginx-controller-475lv -n ifs-ingress
Hello, no need to restart the ingress pod, to resolve this issue I need to delete ifs-ingress.crt secret
Your comment surprised me… i had to look it up in the Helm chart.
Delete of ifs-ingress.crt should only be required if you want a new autogenerated selfsigned cert (valid for 10 years). If you supply a new cert via the ifscloud-values.yaml - it should update the existing ifs-ingress.crt
maybe that can be explained by this line in secrets.yaml
{{- if or ( not ( lookup "v1" "Secret" $.Values.global.namespace "ifs-ingress.crt" ) ) .Values.regenerateCert -}}
the line before is
{{ if not .Values.tlsSecrets.ifsIngressCert.key }}
{{- if or ( not ( lookup "v1" "Secret" $.Values.global.namespace "ifs-ingress.crt" ) ) .Values.regenerateCert -}}
which mean that if you have passed you own cert then the lookup for the "ifs-ingress.crt" will never happen.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.