K8s install how to automate certificate renewal

I have the mender server installed in AWS in a kubernetes cluster which is working well. The challenge I have is when the cert-manager renews the tls certificate I have to manually update the certificate for the api-gateway. I see there is an option (api_gateway.certs.existingSecret) for the helm chart to use an existing secret but the expected keys (cert.crt and private.key) are different from the cert-manager generated secret (tls.crt and tls.key). Is it possible to modify the expected keys so that they match the cert-manager secret? That would remove the manual step to update the api-gateway cert as it could reference the cert-manager secret. If not, do you have any recommendations on how to automate the api-gateway cert renewal?

Hi @neileeyo ,
luckily a nice contribution is addressing your need: Switch api-gateway tls certificate to k8s tls type by chriswiggins · Pull Request #443 · mendersoftware/mender-helm · GitHub
I’ll get back to you as soon as this is released

1 Like

Excellent. That’s exactly what I need. Thank you for the follow up @robgio!

Actually, just wait a bit :wink: it turned out to be a breaking change, so we’re reworking it :slight_smile:

1 Like

Any possibility that this change (in it’s non breaking form) could be cherry picked onto mender-5.12.0 helm release?

Yes, I think so. The 5.x branch is the default for the still supported Mender Server v3.7

1 Like

Hi @neileeyo , you can try with the new fresh version 5.13.0.

@robgio that’s great! Thank you for following up. I’ll be testing that today.