# Redeploying TLS Certificates
# Overview
Redploying TLS certificate is process of replacing the currently used TLS certificate with a new issued certificate, and it should be planned well before certificates expire or in the case of a certificate is being compromised. In cnvrg Platform, TLS certificates are used to provide secure connections for its internal components. The following will guide you on how to redeploy or rotate your platform's TLS certificate.
# Requirements
- kubectl utilily and administrative access to the Kubernetes cluster
- Wildcard TLS certificate for your domain (for each cluster).
# Kubernetes TLS Secret
First, we will need to create a Kubernetes TLS secret from the TLS certificate and key files.
kubectl -n cnvrg create secret tls my-tls-secret \
--cert=path/to/cert/file \
--key=path/to/key/file
# Update cnvrg Operator
We have two options that we can use in order to update the TLS secret without manually editing the operator.
# Option 1
The first option is use an inline kubectl patch command:
kubectl patch cnvrginfras.mlops.cnvrg.io/cnvrg-infra cnvrgapps.mlops.cnvrg.io/cnvrg-app --type=merge -p '{"spec": {"networking": {"https": {"enabled": true, "certSecret": "cnvrg-tls-secret"}}}}' -n cnvrg
Expected output
cnvrginfra.mlops.cnvrg.io/cnvrg-infra patched
cnvrgapp.mlops.cnvrg.io/cnvrg-app patched
# Option 2
The second option is to create a file named patch-secret.yaml that has this content:
---
spec:
networking:
https:
certSecret: my-tls-secret
enabled: true
...
Then, patch cnvrg operator:
kubectl patch cnvrginfras.mlops.cnvrg.io/cnvrg-infra cnvrgapps.mlops.cnvrg.io/cnvrg-app --type=merge -p "$(cat patch-secret.yaml)" -n cnvrg
Expected output
cnvrginfra.mlops.cnvrg.io/cnvrg-infra patched
cnvrgapp.mlops.cnvrg.io/cnvrg-app patched
# Verification
Verify the progress of the operator reconciliation process:
kubectl -n cnvrg get cnvrgapps.mlops.cnvrg.io/cnvrg-app cnvrginfras.mlops.cnvrg.io/cnvrg-infra
Expected output
NAME VERSION STATUS MESSAGE
cnvrgapp.mlops.cnvrg.io/cnvrg-app cnvrg/app:v4.7.105 READY successfully reconciled, ready (100%)
NAME STATUS MESSAGE
cnvrginfra.mlops.cnvrg.io/cnvrg-infra HEALTHY successfully reconciled