From e917db73a1b45a5ef1b37cbbb5c832b814b41af3 Mon Sep 17 00:00:00 2001 From: Evans Mungai Date: Wed, 10 Dec 2025 13:18:34 +0000 Subject: [PATCH 1/2] feat: add CLI subcommand to update admin console TLS certificates Signed-off-by: Evans Mungai --- docs/enterprise/embedded-tls-certs.mdx | 33 +++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/docs/enterprise/embedded-tls-certs.mdx b/docs/enterprise/embedded-tls-certs.mdx index a3ffc1b69e..146a70b028 100644 --- a/docs/enterprise/embedded-tls-certs.mdx +++ b/docs/enterprise/embedded-tls-certs.mdx @@ -4,15 +4,42 @@ This topic describes how to update custom TLS certificates in Replicated Embedde ## Update Custom TLS Certificates -Users can provide custom TLS certificates with Embedded Cluster installations and can update TLS certificates through the Admin Console. +Users can provide custom TLS certificates with Embedded Cluster installations and can update TLS certificates using the CLI or through the Admin Console. + +### Update Using the CLI (Recommended) + +:::note +The `admin-console update-tls` command is available in Embedded Cluster v2.14.0 and later. +::: + +The `admin-console update-tls` command provides a secure way to update TLS certificates for the Admin Console. This method updates the `kotsadm-tls` Kubernetes secret directly. Pods watching this secret automatically reload the TLS configuration, so no restart is required. + +To update TLS certificates using the CLI: + +1. SSH onto a controller node where Embedded Cluster is installed. Ensure the TLS certificate and key files are present on the node. + +1. Run the following command to update the TLS certificate and key: + + ```bash + sudo ./APP_SLUG admin-console update-tls --tls-cert PATH_TO_CERT --tls-key PATH_TO_KEY + ``` + + Replace: + - `APP_SLUG` with the unique slug of the installed application. + - `PATH_TO_CERT` with the path to the TLS certificate file. + - `PATH_TO_KEY` with the path to the TLS key file. + +### Update Using the Admin Console + +You can also update TLS certificates through the Admin Console. This method requires temporarily enabling anonymous uploads. :::important Adding the `acceptAnonymousUploads` annotation temporarily creates a vulnerability for an attacker to maliciously upload TLS certificates. After TLS certificates have been uploaded, the vulnerability is closed again. -Replicated recommends that you complete this upload process quickly to minimize the vulnerability risk. +Replicated recommends using the CLI method above when possible. If you use this method, complete the upload process quickly to minimize the vulnerability risk. ::: -To upload a new custom TLS certificate in Embedded Cluster installations: +To upload a new custom TLS certificate through the Admin Console: 1. SSH onto a controller node where Embedded Cluster is installed. Then, run the following command to start a shell so that you can access the cluster with kubectl: From bbba46e8cc15dffa58d34830d8f34290580e6c34 Mon Sep 17 00:00:00 2001 From: Alex Parker <7272359+ajp-io@users.noreply.github.com> Date: Wed, 10 Dec 2025 11:47:20 -0500 Subject: [PATCH 2/2] Update embedded-tls-certs.mdx --- docs/enterprise/embedded-tls-certs.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/enterprise/embedded-tls-certs.mdx b/docs/enterprise/embedded-tls-certs.mdx index 146a70b028..3b9517aa7f 100644 --- a/docs/enterprise/embedded-tls-certs.mdx +++ b/docs/enterprise/embedded-tls-certs.mdx @@ -4,7 +4,7 @@ This topic describes how to update custom TLS certificates in Replicated Embedde ## Update Custom TLS Certificates -Users can provide custom TLS certificates with Embedded Cluster installations and can update TLS certificates using the CLI or through the Admin Console. +Users can use the CLI or the Admin Console to update the TLS certificates used to secure the Admin Console in Embedded Cluster installations. This is useful when certificates expire or need to be rotated regularly. ### Update Using the CLI (Recommended) @@ -12,11 +12,11 @@ Users can provide custom TLS certificates with Embedded Cluster installations an The `admin-console update-tls` command is available in Embedded Cluster v2.14.0 and later. ::: -The `admin-console update-tls` command provides a secure way to update TLS certificates for the Admin Console. This method updates the `kotsadm-tls` Kubernetes secret directly. Pods watching this secret automatically reload the TLS configuration, so no restart is required. +The `admin-console update-tls` command provides a secure way to update TLS certificates for the Admin Console. To update TLS certificates using the CLI: -1. SSH onto a controller node where Embedded Cluster is installed. Ensure the TLS certificate and key files are present on the node. +1. SSH onto a controller node where Embedded Cluster is installed. Ensure the new TLS certificate and key files that you want to use are present on the node. 1. Run the following command to update the TLS certificate and key: