Setting up TLS Certificates

After kURL install has completed, you'll be prompted to set up the KOTS Admin Console by directing your browser to http://<ip>:8800. Only after initial install you'll be presented a warning page:


tls-certs-insecure

The next page allows you to configure your TLS certificates:


tls-certs-setup

To continue with the preinstalled self-signed TLS certificates, click "skip & continue". Otherwise upload your signed TLS certificates as describe on this page. The hostname is an optional field, and when its specified, its used to redirect your browser to the specified host.

Once you complete this process then you'll no longer be presented this page when logging into the KOTS Admin console. If you direct your browser to http://<ip>:8800 you'll always be redirected to https://<ip>:8800.

KOTS TLS Secret

kURL will set up a Kubernetes secret called kotsadm-tls. The secret stores the TLS certificate, key, and hostname. Initially the secret will have an annotation set called acceptAnonymousUploads. This indicates that a new TLS certificate can be uploaded as described above.

Uploading new TLS Certs

If you've already gone through the setup process once, and you want to upload new TLS certificates, you must run this command to restore the ability to upload new TLS certificates:

kubectl -n default annotate secret kotsadm-tls acceptAnonymousUploads=1

Warning: adding this annotation will temporarily create a vulnerability for anyone to nefariously upload TLS certificates. Once TLS certificates have been uploaded then the vulnerability is closed again.

After adding the annotation, you will need to restart the kurl proxy server. The simplest way is to delete the kurl-proxy pod (the pod will automatically get restarted):

kubectl delete pods PROXY_SERVER

The following command should provide the name of the kurl-proxy server:

kubectl get pods -A | grep kurl-proxy | awk '{print $2}'

After the pod has been restarted direct your browser to http://<ip>:8800 and run through the upload process as described above.

It's best to complete this process as soon as possible to avoid anyone from nefariously uploading TLS certificates. After this process has completed, the vulnerability will be closed, and uploading new TLS certificates will be disallowed again. In order to upload new TLS certificates you must repeat the steps above.