5.3. Updating TLS Security Certificates

Documentation

VoltDB Home » Documentation » VoltDB Kubernetes Administrator's Guide

5.3. Updating TLS Security Certificates

If you are using TLS/SSL to encrypt data (either internally, externally, or both), you will need to update those certificates before they expire to ensure minimal disruption to normal operation. To update the TLS key stores, truststores, and credentials, you must not only update the appropriate properties, you must stop and restart both the cluster and the Volt Operator in the correct order.

The following instructions describe the process for updating TLS/SSL certificates using Helm properties. Before starting the renewal process, make sure you have the appropriately updated security files. The section on "Configuring TLS/SSL on the VoltDB Server" in the Using VoltDB manual and Section 2.2.2.4, “Configuring TLS/SSL” explain how to generate the necessary files when using self-signed certificates, as shown in the following examples.The procedure is similar when using certificates from a third-party authority.

  1. First, stop the database cluster by setting the replication count to zero. Notice you must repeat the property settings for the current TLS certificate files when issuing the helm upgrade command::

    $ helm upgrade mydb voltdb/voltdb --reuse-values                        \
       --set-file cluster.config.deployment.ssl.keystore.file=oldkey.jks     \
       --set-file cluster.config.deployment.ssl.truststore.file=oldtrust.jks \
       --set-file cluster.clusterSpec.ssl.certificateFile=oldcert.pem        \
       --set cluster.clusterSpec.replicas=0
  2. Next, stop the Volt Operator. You do this by setting the property operator.enabled to false:

    $ helm upgrade mydb voltdb/voltdb --reuse-values                        \
       --set-file cluster.config.deployment.ssl.keystore.file=oldkey.jks     \
       --set-file cluster.config.deployment.ssl.truststore.file=oldtrust.jks \
       --set-file cluster.clusterSpec.ssl.certificateFile=oldcert.pem        \
       --set operator.enabled=false
  3. Once the pods for both the cluster nodes and operator have stopped, you are ready to update the helm properties to point to the new security credentials, while restarting the operator:

    $ helm upgrade mydb voltdb/voltdb --reuse-values                        \
       --set-file cluster.config.deployment.ssl.keystore.file=newkey.jks     \
       --set-file cluster.config.deployment.ssl.truststore.file=newtrust.jks \
       --set-file cluster.clusterSpec.ssl.certificateFile=newcert.pem        \
       --set operator.enabled=true
  4. Finally, you are ready to restart the database and return to normal operation:

    $ helm upgrade mydb voltdb/voltdb --reuse-values                        \
       --set-file cluster.config.deployment.ssl.keystore.file=newkey.jks     \
       --set-file cluster.config.deployment.ssl.truststore.file=newtrust.jks \
       --set-file cluster.clusterSpec.ssl.certificateFile=newcert.pem        \
       --set cluster.clusterSpec.replicas=5

If, instead of using Helm properties, you have your TLS/SSL credentials stored in a Kubernetes secret, as described in Section 2.2.2.4.2, “Using Kubernetes Secrets to Store and Reuse TLS/SSL Information”, the process is much the same, except in step #3 you update the secret rather than the individual properties. One easy way to update the secret is to delete and then recreate it using the updated TLS/SSL files. For example:

$ helm upgrade mydb voltdb/voltdb --reuse-values
   --set cluster.clusterSpec.replicas=0
$ helm upgrade mydb voltdb/voltdb --reuse-values
   --set operator.enabled=false
$ kubectl delete secret/my-ssl-creds
$ kubectl create secret generic my-ssl-creds      \
    --from-file=keystore_data=newkey.jks          \
    --from-file=truststore_data=newtrust.jks      \
    --from-file=certificate=newcert.pem           \
    --from-literal=keystore_password=topsecret    \
    --from-literal=truststore_password=topsecret
$ helm upgrade mydb voltdb/voltdb --reuse-values
   --set operator.enabled=true
$ helm upgrade mydb voltdb/voltdb --reuse-values
   --set cluster.clusterSpec.replicas=5