How to Rotate TFE TLS Certificates on Kubernetes

Avatar
Bruce Lok
  • Updated

Introduction

When Terraform Enterprise (TFE) is running on Kubernetes, there are two available approaches for updating TLS certificates: modifying the Helm chart configuration or directly patching Kubernetes secrets with kubectl. This guide provides a walkthrough of both methods.

During the initial TFE deployment on Kubernetes, TLS configuration: tls.certData, tls.keyData and tls.caCertData declared in the values.yaml file are saved in the Kubernetes secret store during the Helm chart installation.

 

Expected Outcome

Successfully rotate TFE TLS certificate and private key in Kubernetes with minimal disruption.

 

Prerequisites

  1. The TFE application is up and healthy on Kubernetes
  2. A new set of TLS certificates

 

Use Case

TFE TLS certificates should be rotated under the following conditions:

  • certificates expired
  • replace compromised certificates
  • change CA
  • comply with security practices

 

Procedure

The following command lists out the existing secrets in the given namespace. The CA bundle is stored in the secret terraform-enterprise-ca-certificates, the site certificate and its private key are stored in the secret terraform-enterprise-certificates.

$ kubectl -n tfe get secret
NAME                                  TYPE                              DATA    AGE
...
terraform-enterprise                  kubernetes.io/dockerconfigjson    1       61d
terraform-enterprise-ca-certificates  Opaque                            1       59d
terraform-enterprise-certificates     kubernetes.io/tls                 2       59d
terraform-enterprise-env-secrets      Opaque                            3       59d

 

Solution 1. Using Helm Upgrade

Use this method to manage TFE configuration via Helm and align TLS certificate updates with other scheduled deployment changes.

Step 1

Update the following values under the TLS block in your values.yaml .

tls:
 certData: <Base64 New Certificate>
 keyData: <Base64 New Private Key>
 caCertData: <Base64 New CA Bundie>

 

Step 2

Rollout your deployment changes with new TLS certificates.  

$ helm upgrade terraform-enterprise hashicorp/terraform-enterprise \
  –n tfe \
  --values values.yaml

NOTE: All other changes made to the values.yaml file will also be applied. Therefore, carefully review other settings to avoid unintended changes.

 

Solution 2. Using Kubectl command

Kubernetes secrets can also be managed using kubectl command.  Use this method to interact with kubectl without modifying the original Helm configuration.

The following steps outline the process to update the secret with the new TLS certificate and key.

Step 1: 

View the secret terraform-enterprise-certificates. Expect the certificate tls.crt and the private key tls.key in base64 encoded string. This is the current TFE site certificate in use.
$ kubectl -n tfe get secret terraform-enterprise-certificates -o yaml

 

Step 2

Run the following kubectl command to replace the certificate tls.crt and the private key tls.key.
$ kubectl create secret tls terraform-enterprise-certificates \
  --n=tfe \
  --cert=./cert.pem \
  --key=./key.pem \
  --dry-run=client -o yaml | kubectl apply -f -

Step 3

Restart the TFE deployment to apply the changes.
$ kubectl -n tfe rollout restart deployment terraform-enterprise

 

References:

 

 

Articles in this section

See more

Related articles