System Address Management
Palette VerteX uses Secure Sockets Layer (SSL) certificates to secure internal and external communication with Hypertext Transfer Protocol Secure (HTTPS). External VerteX endpoints, such as the system console, VerteX dashboard, the VerteX API, and the gRPC endpoint, are enabled by default with HTTPS using an auto-generated self-signed certificate.
Update System Address and Certificates
The Palette VerteX system console allows you to replace the self-signed certificate with a custom SSL certificate to secure these endpoints. Additionally, you can update the system address, which is the Fully Qualified Domain Name (FQDN) that you use to access your Palette installation. The system address and certificates may be updated simultaneously.
Palette VerteX validates the combination of system address, certificate, key, and Certificate Authority (CA). Ensure that the certificate is not expired, as well as that it is valid for the CA and the system address. Additionally, the system address must be accessible from the system console.
You can swap out the external endpoint certificate at any time without affecting the system functionality. However, updating the system address may require manual reconciliation on deployed clusters.
Prerequisites
-
Access to the Palette VerteX system console.
-
You need to have an x509 certificate and a key file in PEM format. The certificate file must contain the full certificate chain. Reach out to your network administrator or security team if you do not have these files.
-
A utility or tool to convert the certificate and key files to base64-encoded strings. You can use the
base64
command in Unix-based systems. Alternatively, you can use an online tool to convert the files to base64-encoded strings. -
Ensure the certificate is created for the custom domain name you specified for your Palette VerteX installation. If you did not specify a custom domain name, the certificate must be created for the Palette VerteX system console's IP address. You can also specify a load balancer's IP address if you are using a load balancer to access Palette VerteX.
Enablement
You can update your Palette system address and SSL certificates by using the following steps.
-
Log in to the Palette VerteX system console.
-
Navigate to the left Main Menu and select Administration.
-
Select the System Address tab.
-
Update your Palette domain in the System Address (UI and API) field.
-
Convert the certificate, private key, and Certificate Authority (CA) chain to base64-encoded strings. In the following command, an example file, certificate.crt is output and converted to base64-encoded string using the
base64
command.cat certificate.crt | base64
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURwRENDQW95Z0F3SUJBZ0lSQU1VYUZ3cytaUyszYnhzRmREZ0s0aWd3RFFZSktvWklodmNOQVFFTEJRQXcKWXpFTE1Ba0dBMVVFQmhNQ1NVNHhFakFRQmdOVkJBZ1RDVXRoY201aGRHRnJZVEVXTUJRR0ExVUVDaE1OVTNCbApZM1J5YnlCRGJHOTFaREVQTUEwR0ExVUVDeE1HU0hWaVlteGxNUmN3RlFZRFZRUURFdzVEUVNCRFpYSjBhV1pwClkyRjBaVEFlRncweU5ERXdNRGd5TWpBd05EaGFGdzB5TlRFd01EZ3lNakF3TkRoYU1IY3hDekFKQmdOVkJBWVQKQWtsT01SSXdFQVlEVlFRSUV3bExZWEp1WVhSaGEyRXhGakFVQmdOVkJBb1REVk53WldOMGNtOGdRMnh2ZFdReApEekFOQmdOVkJBc1RCa2gxWW1Kc1pURXJNQ2tHQTFVRUF4TWljR0ZzWlhSMFpTNWtiMk56TFhSbGMzUXVjM0JsClkzUnliMk5zYjNWa0xtTnZiVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNZHMKUjk3enFKWjBpc1VYTWpkZVBzY3BRZTM2d0gxOVhKM0QyV2Q4dnk2MVZOcThNbnNGM1FZWmRLT2dpcGZVNnV5WQp3b3NqcnErRzE3Wm5lS2tzMG5iQ3BiU0M0MURyalJxYUp2YnJOMUdDTjJnYTNXaEVURzBEdi9PWjIwYlF0S2ZqCkJXcWNOY0p5Mm90N0hQZXRiVmEvSFNhZnE1OXJKMEQvaXJtVGJJcm1Fb0ZEMmpEWUx2eVpycEt5WVdmY3JWYjIKL09USmJGNXIwQndYVXNRTit4b0FhdnlsNXl2a1B2MWhwUHlxWkRUQmk3c290VEZJZDl3eHczeGdkU3JWZHQwdgpJWnc5WTN4NWxlaGZMQm5CSWo1RlBXdUJGNmxiZDhoazBaLzdtbTVybjRxalArMmphTzBzYlhRUnl4WjlJZys1CmliOHZRVEZUVFVmYmUvQTZ5T1VDQXdFQUFhTS9NRDB3REFZRFZSMFRBUUgvQkFJd0FEQXRCZ05WSFJFRUpqQWsKZ2lKd1lXeGxkSFJsTG1SdlkzTXRkR1Z6ZEM1emNHVmpkSEp2WTJ4dmRXUXVZMjl0TUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQktxbGVuZVB0WjJ1cG9LbCsvRWNNUmF0cjNOTWRlWHFGM0R6bWZLMDJ5VlE4akZremdkdVI2CmJXclBBaXBBejRXSytOTTcwSnZTRzVpaVhtajd1ajU5S2ZPUDA4RWZjYy94Q1ErMGtYdTJXV2J5M0p5c0UxMjQKT2o3OEJlOXFkZ3Q1cXFCcU03OEFMYkVKU21Ha21zak9DcFFzMlV5d3E2L0RmZngxVVk4VS9FS3l1M2JUS1pmQgpMcDBoMzZjeU83MFVKZjJycWxVMVVLUnZsNmh3UkpFRXRjOW5iNzh4TVFic0RQRThaOUZBMXh3QW1qU1lSaGx5CjVUUjFQTnREVTd0MHROVWg1ZzlzSjVVTmhpbDkyZzZNZ3dLYjVRMXVxT0JjbFZMcHdzbVRrdERjTWlZM1dKTksKWTZsYjBBZVE0cVBZNkFiUmQrOXJnc2NvcGRPc2dqUkEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
Repeat this step for the private key and Certificate Authority (CA) file.
-
Copy and paste the base64-encoded certificate string into the Certificate field.
-
Copy and paste the base64-encoded certificate key string into the Key field.
-
Copy and paste the base64-encoded certificate authority chain string into the Certificate Authority field.
-
Click Update to save your changes.
-
If you have any clusters deployed, you may need to reconcile the updated system address for each cluster. Refer to Reconcile System Address on Deployed Clusters for more information.
You will receive an error message if the provided values are not valid. Once the certificate is uploaded successfully, Palette VerteX will refresh its listening ports and start using the newly configured values.
Validate
You can validate that your certificate is uploaded correctly by using the following steps.
-
Log out of the Palette VerteX system console. If you are already logged in, log out and close your browser session. Browsers cache connections and may not use the newly enabled HTTPS connection. Closing your existing browser session avoids issues related to your browser caching an HTTP connection.
-
Log back into the Palette VerteX system console. Ensure the connection is secure by checking the URL. The URL should start with
https://
.
VerteX is now using your uploaded certificate to create a secure HTTPS connection with external clients. Users can now securely access the system console, VerteX dashboard, the gRPC endpoint, and the VerteX API endpoint.
Reconcile System Address on Deployed Clusters
Once you have updated your system address, the clusters that were deployed before the update will not be able to automatically reconnect to Palette if the old system address is no longer available. You will need to manually update the API endpoint on each cluster if this is the case. This enables the Palette agent to reconnect to the API at the newly configured system address.
Prerequisites
-
Palette VerteX access with a configured cloud account.
-
A cluster deployed prior to the system address update. Refer to the Clusters section for further guidance.
-
kubectl
installed. Use the Kubernetes Install Tools page for further guidance.
Enablement
-
Log into Palette VerteX using the configured system address.
-
Navigate to the left Main Menu and select Clusters. Palette displays your deployed clusters. The clusters that have the Unknown status need to be manually updated.
-
Select your cluster from the Clusters list. The cluster Overview tab displays.
-
Download the kubeconfig file. This file allows you to connect to your deployed cluster. Check out the Kubeconfig page to learn more.
-
Open a terminal window and set the environment variable
KUBECONFIG
to point to the file you downloaded.export KUBECONFIG=<path-to-downloaded-kubeconfig-file>
-
Execute the following command in your terminal to view the cluster namespaces. Make a note of the cluster namespace that Palette has created. Its name follows the pattern cluster-id.
kubectl get namespaces
-
Palette uses ConfigMaps to save its configuration and environment variables. Update the
apiEndpoint
value in thehubble-info
ConfigMap to use the newly configured system address.kubectl edit configmap hubble-info --namespace <cluster-id>
-
Save your changes and exit the editor.
Repeat these steps for each cluster that has the Unknown status.
Validate
-
Log into Palette VerteX using the configured system address.
-
Navigate to the left Main Menu and select Clusters.
-
Palette VerteX successfully displays the status of your clusters. None of your clusters has the Unknown status.