TLS Certificates

To create new certificates or rotate existing ones or to fix an invalid or rename your TLS secret, refer to the sections below.

NEW or ROTATING CERTIFICATES

Note: If you are renewing the TLS certificates, you must first delete the existing Kubernetes secret before continuing. 
kubectl delete secret datainsightcerts

If you have TLS certificates, you may load them into Kubernetes as a secret and configure SevOne Data Insight to utilize them.

  1. Using a text editor of your choice, edit the config file based on the SevOne Data Insight version as shown in the table in section find config file, to enable TLS certificates and then, save it.
    Important: If the config file does not exist, please create one and add the following to it.

    Enable the certificates

    Important: Please make sure to copy and paste the configuration below as-is in the config file. Spacing is very important and it must match when copied into the config file.
    For SDI 6.8.x and below, 
    
ingress:
  hosts:
  - "di.customer.com"
  tls:
  - secretName: <SECRET_NAME>
    hosts:
    - "di.customer.com"
    For SDI 7.0.x and above, 
    
ingress = {
    hosts = ["di.customer.com"]
    tls = [
        {
            secret_name = "datainsightcerts"
            hosts = ["di.customer.com"]
        }
    ]
}
  2. Load your TLS certificates as a Kubernetes secret.
    ls /home/sevone/tls
    tls.crt  tls.key

kubectl create secret tls datainsightcerts \
--key /home/sevone/tls/tls.key \
--cert /home/sevone/tls/tls.crt
  3. Apply the change made to the config file.
    sevone-cli playbook up --tags apps

FIX INVALID TLS SECRET NAME

SevOne Data Insight expects the TLS certificate secret to be specifically named datainsightcerts.

If you find that your secret is named something else, please rename it to the expected name to avoid any issues.

➤   Find your Secret Name

  1. In the config file, TLS secret name will be present in the location <SECRET_NAME>.
    For SDI 6.8.x and below, 
    
ingress:
  hosts:
  - "di.customer.com"
  tls:
  - secretName: <SECRET_NAME>
    hosts:
    - "di.customer.com"
    For SDI 7.0.x and above, 
    
ingress = {
    hosts = ["di.customer.com"]
    tls = [
        {
            secret_name = "datainsightcerts"
            hosts = ["di.customer.com"]
        }
    ]
}

    If <SECRET_NAME> is datainsightcerts, you are all set and you do not need to perform any other steps. If it does not say datainsightcerts, proceed to the next section, Rename your Secret.

➤   Rename your Secret

  1. Copy the existing certificates to a file.

    Example 

    kubectl get secret <SECRET_NAME> -o yaml > datainsightcerts.yaml
  2. Replace all instances of <SECRET_NAME> with datainsightcerts.

    Example 

    sed -i 's/<SECRET_NAME>/datainsightcerts/g' datainsightcerts.yaml
  3. Add your new secret to Kubernetes.

    Example 

    kubectl apply -f datainsightcerts.yaml