To edit/set the SSL certificates by hand.
Before you being ensure that openjdk is installed. At the time of this java-1.8.0-openjdk is the current version on CentOS 7.5
yum install java-1.8.0-openjdk -y
Ensure you have your certificate and private key on the system you are running these commands.
We are creating a file certificates.yaml in order to load into the system.
Need to create the keystore.jks file that will be used by java. Note: If using Let's Encrypt use the fullchain.pem file instead of cert.pem
openssl pkcs12 -passout pass:anaconda -export -in CERT.PEM -inkey KEY.PEM -out certificate.p12 -name auth keytool -importkeystore -deststorepass anaconda -destkeypass anaconda -destkeystore keystore.jks -srckeystore certificate.p12 -srcstoretype PKCS12 -srcstorepass anaconda -alias auth
Creating an updated root ca to use with the system. For Let's Encrypt you can get the root CA here: https://letsencrypt.org/certs/isrgrootx1.pem.txt
For RHEL based systems the path to the trusted CA is:
For Ubuntu based systems the path the system CA is here:
cat ROOT.CA /etc/ssl/certs/ca-bundle.trust.crt > updated-trust-ca.crt
Setup the base structure of the file, and below will add the data points to it.
cat > certificates.yaml <<EOL apiVersion: v1 kind: Secret metadata: name: anaconda-enterprise-certs type: Opaque data: EOL
Adding the main domain for example test.anaconda.com SSL certificate.
printf " tls.crt: " >> certificates.yaml base64 -i --wrap=0 CERT.PEM >> certificates.yaml
Add the private key for the certificate
printf "\n tls.key: " >> certificates.yaml base64 -i --wrap=0 KEY.PEM >> certificates.yaml
Add the SAN certificate to the file. As an example *.test.anaconda.com
printf "\n wildcard.crt: " >> certificates.yaml base64 -i --wrap=0 CERT.PEM >> certificates.yaml
Add the private key for the SAN certificate
printf "\n wildcard.key: " >> certificates.yaml base64 -i --wrap=0 KEY.PEM >> certificates.yaml
Add the generated keystore that we did previously.
printf "\n keystore.jks: " >> certificates.yaml base64 -i --wrap=0 keystore.jks >> certificates.yaml
Add the updated root CA that we created previously.
printf "\n rootca.crt: " >> certificates.yaml base64 -i --wrap=0 updated-trust-ca.crt >> certificates.yaml
Adding a new line at the end of the file
Copy to the share directory to use inside gravity
cp certificates.yaml /var/lib/gravity/planet/share
Enter gravity and list out your secrets
gravity enter kubectl get secrets
We are removing one of the secrets so will take a backup just in case things go south.
kubectl get secret anaconda-enterprise-certs -o yaml --export > anaconda_certs.backup
Remove the existing secret for certs and recreate the secret from the file we placed in the share.
kubectl delete secret anaconda-enterprise-certs kubectl create -f /ext/share/certificates.yaml
Restart the pods for the change of certificates to take affect
kubectl get pods | cut -d' ' -f1 | xargs kubectl delete pods