Renew TLS certificates on Astronomer Software
After you set up a transport layer security (TLS) certificate for Astronomer, you'll need to establish a process for periodically renewing the certificate. The following methods are available for certificate renewal:
- Automatic renewal: Let's Encrypt provides a service that automatically renews your TLS certificate every 90 days. Astronomer recommends this option for smaller organizations where the DNS administrator and cluster administrator are either the same person or on the same team.
- Manual renewal: Manual renewal works similarly to the initial certificate creation process, except that you replace your existing certificate by creating a new certificate. Astronomer recommends this method for large organizations that have their own processes for issuing certificates.
By default, Certbot uses Elliptic Curve Digital Signature Algorithm (ECDSA) keys to sign certificates. If you're using Certbot to renew your TLS certificate, you must include -key-type rsa --rsa-key-size 2048 in your command to sign your certificate with an RSA key. If you don't use RSA keys, deploys fail and error messages appear in the registry and Houston logs. For example, you can run the following command to sign your certificate with an RSA key:
sudo certbot certonly --manual --preferred-challenges=dns -d -d *. --key-type=rsa
Automatically renew TLS certificates Using Let's Encrypt
Let's Encrypt is a certificate authority that provides free, 90-day certificates using the ACME protocol. You can use the Cert Manager project for Kubernetes to automatically renew certificates. When you renew a TLS certificate with Let's Encrypt, you must specify the RSA key type to sign certificates or your deploys will fail and error messages will appear in the registry and Houston logs.
-
Install the Kubernetes Cert Manager by following the official installation guide.
-
If you're running Astronomer on AWS, grant your nodes access to Route 53 by adding the following CloudFormation snippet to your nodes' Instance Profile (if you don't use AWS, complete whatever setup is necessary to authenticate Cert Manager to your DNS):
Type: "AWS::IAM::Role"
Properties:
RoleName: instance-profile-role
Policies:
- PolicyName: instance-profile-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: route53:GetChange
Resource: arn:aws:route53:::change/*
- Effect: Allow
Action:
- route53:ChangeResourceRecordSets
- route53:ListResourceRecordSets
# Use the second Resource format if you're updating this through the AWS UI
Resource: !Sub arn:aws:route53:::hostedzone/${HostedZoneIdLookup.HostedZoneId}
- Effect: Allow
Action: route53:ListHostedZonesByName
Resource: '*'
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "ec2.amazonaws.com"
Action:
- "sts:AssumeRole"For more information on how to complete this setup, refer to AWS documentation.
-
Create a "ClusterIssuer" resource that declares how requests for certificates will be fulfilled. To do so, first create a
clusterissuer.yamlfile with the following values:apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: <your-email>
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: cert-manager-issuer-secret-key
solvers:
- selector: {}
dns01:
route53:
region: <your-server-region>Then, create the ClusterIssuer by running the following command:
kubectl apply -f clusterissuer.yaml -n astronomer -
Create a Certificate resource that declares the type of certificate you'll request from Let's Encrypt. First, create a
certificate.yamlfile and replaceBASE_DOMAINwith your base domain. If you use a third-party ingress-controller, un-comment thesecretTemplatesection and change the value of the platform-release label to match your Astronomer platform release name:apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: acme-crt
spec:
# if using a third-party ingress controller your secretName MUST be astronomer-tls
secretName: astronomer-tls
dnsNames:
- BASE_DOMAIN
- app.BASE_DOMAIN
- deployments.BASE_DOMAIN
- registry.BASE_DOMAIN
- houston.BASE_DOMAIN
- grafana.BASE_DOMAIN
- kibana.BASE_DOMAIN
- install.BASE_DOMAIN
- prometheus.BASE_DOMAIN
- alertmanager.BASE_DOMAIN
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
group: cert-manager.io
# If using a third-party ingress controller, uncomment the following section and change
# the value of platform-release to match your Astronomer platform release name
# secretTemplate:
# annotations:
# astronomer.io/commander-sync="platform-release=astronomer"Then, create the certificate by running the following command and waiting a few minutes:
kubectl apply -f certificate.yaml -n astronomer -
Ensure that the certificate was created by running:
kubectl get certificates -n astronomer -
Note your certificate name for when you create a Kubernetes TLS secret and push it to your Software configuration as described in the Software installation guide (AWS, GCP, AKS).
Manually renew TLS certificates
Use a manual process to renew TLS certificates when your organization has its own process for requesting and renewing TLS certificates. When you renew a TLS certificate with Let's Encrypt, you must specify the RSA key type to sign certificates or your deploys will fail and error messages will appear in the registry and Houston logs.
-
Delete your current TLS certificate by running the following command:
kubectl delete secret astronomer-tls -n astronomer -
Follow the instructions for requesting a TLS certificate from your organization's security team as described in Step 4: Configure TLS. The linked guide is written for users installing Astronomer on AWS, but this step is the same regardless of which service you use.
-
Restart your Houston, nginx, and registry pods to begin using the new certificate by running the following commands:
kubectl rollout restart deployments -n astronomer
kubectl rollout restart statefulsets -n astronomer