Skip to main content
Skip table of contents

Migrate to TLS enabled StatefulSets

WARNING

This procedure requires an outage for production. Please plan accordingly

To migrate to the TLS-enabled components, all the existing deployments for Redis, Mongo, PostgreSQL, and ActiveMQ

Backup

Before proceeding with the migration to TLS-enabled release, please take a backup of all the applications using the guide available at Mongo, PostgreSQL Backup/Restore Procedure for EF-CX on Kubernetes (manual procedure)

Once the backup has been taken, follow this guide to enable TLS for StatefulSets artifacts.

Change your working directory

CODE 
cd ~/cim-solution/kubernetes

Upgrade Mongo to enable TLS/Auth

Uninstall the Mongo Helm chart

CODE 
helm -n ef-external delete mongo

Once the chart is removed, install the chart from the appropriate release with TLS and Auth enabled

CODE 
helm upgrade --install --namespace ef-external --values=external/bitnami/mongo/value.yaml mongo external/bitnami/mongo

Once the Mongo deployment is ready, restore the previous backup mentioned in this guide.

Upgrade Redis to enable TLS/Auth

Uninstall the existing Redis deployment

CODE 
helm -n ef-external delete redis

Deploy the Redis chart from the latest release with TLS and Auth enabled

CODE 
helm upgrade --install --namespace ef-external  --values=external/bitnami/redis/values.yaml redis external/bitnami/redis

Upgrade PostgreSQL to enable TLS/Auth

Uninstall the existing PostgreSQL helm chart

CODE 
helm -n ef-external delete ef-postgresql

Upgrade the Postgresql using the latest TLS/Auth-enabled release

CODE 
helm upgrade --install --namespace ef-external --values=external/bitnami/postgresql/values.yaml ef-postgreql external/bitnami/postgresql

Once the PostgreSQL deployment is ready, restore the backup.

Verify

After enabling TLS, we can verify it by following these steps:-

  1. list all pods in namespace ef-external

CODE 
kubectl get pods -n ef-external

the output will be similar to this

image-20240612-213442.png

  1. Identify the pod you want to verify and run the following command after updating the pod name.

CODE 
kubectl describe pod <pod-name> -n ef-external

the output will be as follows, scroll to Environment to get the tlsCertificateKeyFile and tlsCAFile directories as mentioned below:-

image-20240626-064454.png

3. Now exec into the client pod using the following command:-

CODE 
 kubectl run --namespace ef-external mongo-mongodb-client --rm --tty -i --restart='Never' --env="MONGODB_ROOT_PASSWORD=$MONGODB_ROOT_PASSWORD" --image docker.io/bitnami/mongodb:6.0.2-debian-11-r1 --command -- bash

  1. now run the following connection string to connect to the pod:-

CODE 
mongosh admin --host "mongo-mongodb" --authenticationDatabase admin -u root -p $MONGODB_ROOT_PASSWORD --tls  --tlsAllowInvalidHostnames  --tlsAllowInvalidCertificates --tlsCertificateKeyFile <tlsCertificateKeyFile >  --tlsCAFile <tlsCAFile>

  1. Once the connection is established, the verification is completed.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close