How to update SSL Certificates for Wallaroo

How to configure and update certificates in a Wallaroo installation.

Generate Certificates

The following settings are used for TLS certificates.

  1. Create a CA-signed TLS certificate for your Wallaroo domain with the following settings:
    1. Certificate Authority Options:
      1. Use a public Certificate Authority such as Let’s Encrypt or Verisign. In general, you would send a Certificate Signing Request to your CA and they would respond with your certificates.
      2. Use a private Certificate Authority (CA) to provide the certificates. Your organization will have procedures for clients to verify the certificates from the private CA.
      3. Use a Wallaroo certificate and public name server. Contact our CSS team for details.
    2. Subject Domain:
      1. Set the certificate’s Subject CN to your Wallaroo domain.
        1. With Wildcards: To use wildcards, use the wildcard *.{suffix domain}. For example, if the domain suffix is, then the Subject CNs would be:
          2. *
        2. If wildcard domains are not desired, use a combination of Subject and Subject Alternative Names to set names as follows:
    3. Save your certificates.
      1. You should have two files: the TLS Certificate (.crt) and TLS private key (.key). Store these in a secure location - these will be installed into Wallaroo at a later step.

Update SSL Certificates for Kots Installations

The following is for updating SSL certificates in Wallaroo for a Kots based installation.

  1. Access the Kots Administrative Dashboard in your browser. This can be done either after installation, or through the following command (assuming your Wallaroo instance was installed into the namespace wallaroo). By default this provides the Kots Administrative Dashboard through the URL https://localhost:8800.

    kubectl kots admin-console --namespace wallaroo
  2. From the Wallaroo Dashboard, select Config and set the following:

  3. TLS Certificates

    1. Use custom TLS Certs: Checked
    2. TLS Certificate: Enter your TLS Certificate (.crt file).
    3. TLS Private Key: Enter your TLS private key (.key file).
    Wallaroo DNS Records
  4. Once complete, scroll to the bottom of the Config page and select Save config.

  5. A pop-up window will display The config for Wallaroo Enterprise has been updated.. Select Go to updated version to continue.

  6. From the Version History page, select Deploy. Once the new deployment is finished, you will be able to access your Wallaroo services via their DNS addresses.

Update SSL Certificates for Helm Installations

SSL certificates for Helm based installations of Wallaroo are stored as Kubernetes secrets. SSL certificates are set during the Wallaroo install procedure. The following procedure defines how to update the secret key with new TLS certificates.

Create Kubectl Secret from Certificates

The following creates a new Kubectl secret from the SSL certificates. This is used when old certificates are expired or new certificates generated by a different certificate authority are used.

  1. Set the default Kubernetes namespace to the one the Wallaroo instance is installed to. By default, wallaroo. For example:

    kubectl config set-context --current --namespace wallaroo
  2. Create a new Kubernetes secret to the same namespace as the Wallaroo instance, using the TLS Certificate and TLS private key. For example, the following command creates the secret from the variable $TLSCONFIG from the certificate file stored in the variable $TLSSECRETS and the private key stored in the variable $TLSSECRETS, with Wallaroo installed to the namespace wallaroo. IMPORTANT NOTE: Creating a Kubernetes secret in the same namespace with the same name as an already existing Kubernetes secret generates an error.

    kubectl create secret tls $TLSCONFIG --cert=$TLSSECRETS --key=$TLSSECRETS

    For example, if new $TLSCONFIG is cust-cert-secret with and key, then the command would be translated as

    kubectl create secret tls cust-cert-secret --namespace wallaroo
  3. Update the local-values.yaml file with the new Kubernetes secret set to the custTlsSecretName Helm variable. The following is a minimum setting local-values.yaml file. For details on other helm based settings, see the Wallaroo Helm Reference Guides.

domainPrefix: "" # optional if using a DNS Prefix
domainSuffix: ""

custTlsSecretName: cust-cert-secret

  serviceType: LoadBalancer
  external_inference_endpoints_enabled: true
  ingress_mode: internal # internal (Default), external,or none

  clientName: "Wallaroo Helm Example" # Insert the name displayed in the Wallaroo Dashboard

kubernetes_distribution: ""   # Required. One of: aks, eks, gke, oke, or kurl.

Update Helm

  1. Update the helm based installation with the helm upgrade command in the following format:

    helm upgrade $RELEASE $REGISTRYURL --version $VERSION--values $LOCALVALUES.yaml


    1. $RELEASE: The name of the Helm release. By default, wallaroo.
    2. $REGISTRYURL: The URl for the Wallaroo container registry service.
    3. $VERSION: The version of Wallaroo to install. For this example, 2024.1.0-5097.
    4. $LOCALVALUES: The .yaml file containing the local values overrides. For this example, local-values.yaml.

    For example, for the registration wallaroo the command would be:

    helm upgrade wallaroo oci:// --version 2024.1.0-5097 --values local-values.yaml
  2. Delete the old Kubernetes secret used to store the TLS certificates with the following command format, where $OLDTLSCONFIG is the old secret name, and `$:

    kubectl delete secret $TLSCONFIG

Once the new deployment is finished, you will be able to access your Wallaroo services via their DNS addresses.