How to update SSL Certificates for Wallaroo

How to configure and update certificates in a Wallaroo installation.

Generate Certificates

The following settings are used for TLS certificates.

  1. Create a CA-signed TLS certificate for your Wallaroo domain with the following settings:
    1. Certificate Authority Options:
      1. Use a public Certificate Authority such as Let’s Encrypt or Verisign. In general, you would send a Certificate Signing Request to your CA and they would respond with your certificates.
      2. Use a private Certificate Authority (CA) to provide the certificates. Your organization will have procedures for clients to verify the certificates from the private CA.
      3. Use a Wallaroo certificate and public name server. Contact our CSS team for details.
    2. Subject Domain:
      1. Set the certificate’s Subject CN to your Wallaroo Domain. For example, if the Wallaroo Domain wallaroo.example.com, then the Subject CNs would be wallaroo.example.com.
    3. Save your certificates.
      1. You should have two files: the TLS Certificate (.crt) and TLS private key (.key). Store these in a secure location - these will be installed into Wallaroo at a later step.

Update SSL Certificates for Kots Installations

The following is for updating SSL certificates in Wallaroo for a Kots based installation.

  1. Access the Kots Administrative Dashboard in your browser. This can be done either after installation, or through the following command (assuming your Wallaroo instance was installed into the namespace wallaroo or kotsadm for Single Node installations). By default this provides the Kots Administrative Dashboard through the URL https://localhost:8800.

    kubectl kots admin-console --namespace wallaroo

  2. From the Wallaroo Dashboard, select Config and set the following:

  3. TLS Certificates

    1. Use custom TLS Certs: Checked
    2. TLS Certificate: Enter your TLS Certificate (.crt file).
    3. TLS Private Key: Enter your TLS private key (.key file).
    Wallaroo DNS Records

  4. Once complete, scroll to the bottom of the Config page and select Save config.

  5. A pop-up window will display The config for Wallaroo Enterprise has been updated.. Select Go to updated version to continue.

  6. From the Version History page, select Deploy. Once the new deployment is finished, you will be able to access your Wallaroo services via their DNS addresses.

Update SSL Certificates for Helm Installations

SSL certificates for Helm based installations of Wallaroo are stored as Kubernetes secrets. SSL certificates are set during the Wallaroo install procedure. The following procedure defines how to update the secret key with new TLS certificates.

Set the Kubernetes Namespace

Before start, set the Kubernetes default namespace to match the ones used for Wallaroo. For example, if Wallaroo is installed in the wallaroo namespace, that command is:

kubectl config set-context --current --namespace wallaroo

Remove Old Kubectl Secret

Before starting, delete the old kubectl secret used to store the security certificates. This was set during the initial Wallaroo installation via helm and saved as the helm value custTlsSecretName.

To delete the old Wallaroo kubectl secret This is done with the kubectl delete secret command. For example, if the Wallaroo secret is stored as cust-cert-secret, use the following command:

kubectl delete secret cust-cert-secret

Create New Kubectl Secret from Certificates

The following creates a new Kubectl secret from the SSL certificates. This should use the same name as the Wallaroo kubectl secret that was just deleted.

This is done with the command kubectl create secret tls command with the following items:

  • The certificate file.
  • The private key file.
  • The kubectl secret name. This must be the same kubectl secret name that was just deleted and set in the helm settings for custTlsSecretName.

For example, if the following settings are used:

  • The certificate file: example.com.crt
  • The private key file: example.com.key
  • The kubectl secret name: cust-cert-secret

Then the kubectl secret create command is:

    kubectl create secret tls cust-cert-secret --cert=example.com.crt --key=example.com.key --namespace wallaroo

Update Helm

  1. Update the helm based installation of Wallaroo with the following command to use the new kubectl secret key and certificates:
kubectl rollout restart deployment api-lb

This will reset the api-lb service and the procedure is complete.