Updating Deepfactor portal certificate

Deepfactor portal requires a TLS certificate to encrypt traffic between the portal and your applications running with Deepfactor enabled. You can choose to use either a self-signed certificate or provide your own. The following articles outline how you can specify a certificate.

You should update the Deepfactor portal certificate before it expires. The following document outlines the steps needed to update the portal certificate based on the kind of certificate installed on the portal.

Self Signed Certificate

  • Delete old secrets named deepfactor-certs and df-certs-ingress

    # delete old certificates secret
    kubectl delete secret deepfactor-certs df-certs-ingress -n deepfactor
  • Generate new self-signed certificates:

    • Download the required files using the below commands.

      # create a directory for the files
      mkdir deepfactor-certs

      # change directory
      cd deepfactor-certs/

      wget https://static.deepfactor.io/scripts/public/df-portal/cert-gen/generate-cert.sh
      wget https://static.deepfactor.io/scripts/public/df-portal/cert-gen/openssl-portal.cnf
      wget https://static.deepfactor.io/scripts/public/df-portal/cert-gen/openssl-portalca.cnf

       

    • Navigate to the download directory and run the script generate-cert.sh by providing the DNS for your portal.

      chmod +x generate-cert.sh
      sudo ./generate-cert.sh <DNS-of-your-portal>
  • Create Kubernetes secret for the certificates

    # create new certificates secret
    kubectl create secret generic df-certs-ingress --from-file=tls.crt=./portal.crt --from-file=tls.key=./portal.key --from-file=ca.crt=./portalca.crt --namespace=deepfactor
  • Upgrade the portal and restart the pods

    The below example assumes the release name as df-stable, chart repo name, and namespace as deepfactor.

    # new secrets can be reloaded by the portal upgrade and restart of the Nginx and Apiservice pods

    # upgrade the portal first
    helm upgrade df-stable deepfactor/deepfactor -n deepfactor --reuse-values --set dfstartup.enabled=false

    # restart the pods
    kubectl rollout restart deploy df-stable-deepfactor-nginx df-stable-deepfactor-apisvc -n deepfactor

    # wait for the pods to be in running state
    kubectl get pods -n deepfactor

Public CAs

  • If the certificate is managed by a third-party tool like cert-manager, then the tool should take care of the renewal of certificates and you just need to restart a few of the Deepfactor pods to use the updated certificates.
    The below example assumes the release name as df-stable, chart repo name, and namespace as deepfactor.

    # restart the pods
    kubectl rollout restart deploy df-stable-deepfactor-nginx df-stable-deepfactor-apisvc -n deepfactor

    # wait for the pods to be in running state
    kubectl get pods -n deepfactor
  • If the certificate is self-managed, then delete the old secret and create a new one with the same name

    # create new certificates secret
    kubectl create secret generic df-certs-ingress --from-file=tls.crt="/path/to/tlscrt.pem" --from-file=tls.key="/path/to/tlskey.pem" --from-file=ca.crt="/path/to/ca.pem" --namespace=deepfactor

    # restart the pods
    kubectl rollout restart deploy df-stable-deepfactor-nginx df-stable-deepfactor-apisvc -n deepfactor

    # wait for the pods to be in running state
    kubectl get pods -n deepfactor
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.