cnvrg.io docs

# Redeploying TLS Certificates

# Overview

Redploying TLS certificate is process of replacing the currently used TLS certificate with a new issued certificate, and it should be planned well before certificates expire or in the case of a certificate is being compromised. In cnvrg Platform, TLS certificates are used to provide secure connections for its internal components. The following will guide you on how to redeploy or rotate your platform's TLS certificate.

# Requirements

  • kubectl utilily and administrative access to the Kubernetes cluster
  • Wildcard TLS certificate for your domain (for each cluster).

# Kubernetes TLS Secret

First, we will need to create a Kubernetes TLS secret from the TLS certificate and key files.

kubectl -n cnvrg create secret tls my-tls-secret \
  --cert=path/to/cert/file \
  --key=path/to/key/file

# Update cnvrg Operator

We have two options that we can use in order to update the TLS secret without manually editing the operator.

# Option 1

The first option is use an inline kubectl patch command:

kubectl patch cnvrginfras.mlops.cnvrg.io/cnvrg-infra cnvrgapps.mlops.cnvrg.io/cnvrg-app --type=merge -p '{"spec": {"networking": {"https": {"enabled": true, "certSecret": "cnvrg-tls-secret"}}}}' -n cnvrg

Expected output

cnvrginfra.mlops.cnvrg.io/cnvrg-infra patched
cnvrgapp.mlops.cnvrg.io/cnvrg-app patched

# Option 2

The second option is to create a file named patch-secret.yaml that has this content:

---
spec:
  networking:
    https:
      certSecret: my-tls-secret
      enabled: true
...

Then, patch cnvrg operator:

kubectl patch cnvrginfras.mlops.cnvrg.io/cnvrg-infra cnvrgapps.mlops.cnvrg.io/cnvrg-app --type=merge -p "$(cat patch-secret.yaml)" -n cnvrg

Expected output

cnvrginfra.mlops.cnvrg.io/cnvrg-infra patched
cnvrgapp.mlops.cnvrg.io/cnvrg-app patched

# Verification

Verify the progress of the operator reconciliation process:

kubectl -n cnvrg get cnvrgapps.mlops.cnvrg.io/cnvrg-app cnvrginfras.mlops.cnvrg.io/cnvrg-infra

Expected output

NAME                                VERSION                 STATUS   MESSAGE
cnvrgapp.mlops.cnvrg.io/cnvrg-app   cnvrg/app:v4.7.105   READY    successfully reconciled, ready (100%)

NAME                                    STATUS    MESSAGE
cnvrginfra.mlops.cnvrg.io/cnvrg-infra   HEALTHY   successfully reconciled
Last Updated: 12/18/2023, 11:43:33 AM

Enabling HTTPS