Updating TLS Certificates on a Kubernetes Installer Cluster

For Kubernetes installer provisioned clusters, the default app manager self-signed certificate automatically renews 30 days before the expiration date.

If you have uploaded a custom TLS certificate instead, then no renewal is attempted, even if the certificate is expired. In this case, you must manually upload a new custom certificate.

For information about TLS renewal for registry and Kubernetes control plane with the Kubernetes installer, see TLS Certificates in the kURL documentation.

Update Custom TLS Certificates

If you are using a custom TLS certificate in a Kubernetes installer cluster, you manually upload a new certificate when the previous one expires.

:::warning Adding the acceptAnonymousUploads annotation temporarily creates a vulnerability for an attacker to maliciously upload TLS certificates. After TLS certificates have been uploaded, the vulnerability is closed again.

Replicated recommends that you complete this upload process quickly to minimize the vulnerability risk. :::

To upload a new custom TLS certificate:

1. Run the following annotation command to restore the ability to upload new TLS certificates:

   kubectl -n default annotate secret kotsadm-tls acceptAnonymousUploads=1 --overwrite

2. Run the following command to get the name of the kurl-proxy server:

   kubectl get pods -A | grep kurl-proxy | awk '{print $2}'

3. Run the following command to delete the kurl-proxy pod. The pod automatically restarts after the command runs.

   kubectl delete pods PROXY_SERVER

   Replace PROXY_SERVER with the name of the kurl-proxy server that you got in the previous step.

4. After the pod has restarted, direct your browser to http://<ip>:8800/tls and go through the upload process in the user interface.