5.3. Updating TLS Security Certificates

Documentation

VoltDB Home » Documentation » VoltDB Kubernetes Administrator's Guide
< previoustable of contentsnext >

5.3. Updating TLS Security Certificates

If you are using TLS/SSL to encrypt data (either internally, externally, or both), you will need to update those certificates before they expire to ensure minimal disruption to normal operation. To update the TLS key stores, truststores, and credentials, you must not only update the appropriate properties, you must stop and restart both the cluster and the Volt Operator in the correct order.

The following instructions describe the process for updating TLS/SSL certificates. Before starting the renewal process, make sure you have the appropriately updated security files. The section on "Configuring TLS/SSL on the VoltDB Server" in the Using VoltDB manual and Section 2.2.2.4, “TLS/SSL” explain how to generate the necessary files when using self-signed certificates, as shown in the following examples.The procedure is similar when using certificates from a third-party authority.

  1. First, stop the database cluster by setting the replication count to zero. Notice you must repeat the property settings for the current TLS certificate files when issuing the helm upgrade command::

    $ helm upgrade mydb voltddb/voltdb --reuse-values                        \
   --set-file cluster.config.deployment.ssl.keystore.file=oldkey.jks     \
   --set-file cluster.config.deployment.ssl.truststore.file=oldtrust.jks \
   --set-file cluster.clusterSpec.ssl.certificateFile=oldtrust.pem       \
   --set cluster.clusterSpec.replicas=0

  2. Next, stop the Volt Operator. You do this by setting the property operator.enabled to false:

    $ helm upgrade mydb voltddb/voltdb --reuse-values                        \
   --set-file cluster.config.deployment.ssl.keystore.file=oldkey.jks     \
   --set-file cluster.config.deployment.ssl.truststore.file=oldtrust.jks \
   --set-file cluster.clusterSpec.ssl.certificateFile=oldtrust.pem       \
   --set operator.enabled=false

  3. Once the pods for both the cluster nodes and operator have stopped, you are ready to update the helm properties to point to the new security credentials, while restarting the operator:

    $ helm upgrade mydb voltddb/voltdb --reuse-values                        \
   --set-file cluster.config.deployment.ssl.keystore.file=newkey.jks     \
   --set-file cluster.config.deployment.ssl.truststore.file=newtrust.jks \
   --set-file cluster.clusterSpec.ssl.certificateFile=newtrust.pem       \
   --set operator.enabled=true

  4. Finally, you are ready to restart the database and return to normal operation:

    $ helm upgrade mydb voltddb/voltdb --reuse-values                        \
   --set-file cluster.config.deployment.ssl.keystore.file=newkey.jks     \
   --set-file cluster.config.deployment.ssl.truststore.file=newtrust.jks \
   --set-file cluster.clusterSpec.ssl.certificateFile=newtrust.pem       \
   --set cluster.clusterSpec.replicas=5

< previoustable of contentsnext >