(Legacy) Renew certificates for a runtime
This documentation is for the legacy Konnect environment at
konnect.konghq.com. For the
cloud.konghq.com environment, see the
current Konnect documentation.
Runtime certificates generated by Konnect Cloud expire every six (6)
months.
Renew your certificates to prevent any interruption in communication between
Konnect Cloud and any configured runtimes (data planes). If a
certificate expires and is not replaced:
- The runtime stops receiving configuration updates from
the control plane.
- The runtime stops sending Vitals and usage data to the
control plane.
- Each disconnected runtime uses cached configuration to continue proxying
and routing traffic.
Depending on your setup, renewing certificates might mean bringing up a new data
plane, or generating new certificates and updating data planes with the new
files.
Quick setup
If you originally created your data plane container using the
quick setup Docker script,
we recommend running the script again to create a new data plane with renewed
certificates.
- Stop the data plane container.
- Open Runtime Manager and click Configure New Runtime.
- Run the script again to
create a new data plane with
updated certificates.
- Remove the old data plane container.
Advanced setup
If your data planes are running on Linux or Kubernetes, or if you have a Docker
data plane container that was not created using the quick setup script,
generate new certificates and replace them on the existing nodes.
Generate new certificates
- Open Runtime Manager and
click Configure New Runtime.
-
Open the tab that suits your environment: Linux or Kubernetes.
If you’re running a Docker container, you can use either of these tabs to
complete the following steps.
- Click Generate Certificate.
-
Save the new certificates and key into separate files:
- Certificate:
tls.crt
- Private key:
tls.key
- Root CA Certificate:
ca.crt
- Store the files on your runtime’s local filesystem.
Update data plane
Open your instance’s kong.conf file. Replace existing certificates with
the new files:
cluster_cert = /{PATH_TO_FILE}
/tls.crt
cluster_cert_key = /{PATH_TO_FILE}
/tls.key
lua_ssl_trusted_certificate = system,/{PATH_TO_FILE}
/ca.crt
Restart Kong Gateway for the settings to take effect:
Clean up by deleting any old certificate and key files on your filesystem.
Create new secrets for the certificates and key, making sure to name them
something different from your current secret names.
-
Create a tls secret using the tls.cert and tls.key files
you saved earlier:
kubectl create secret tls kong-cluster-cert2 -n kong \
--cert=/{PATH_TO_FILE}
/tls.crt \
--key=/{PATH_TO_FILE}
/tls.key
-
Create a generic secret for the ca.crt file:
kubectl create secret generic kong-cluster-ca2 -n kong \
--from-file=ca.crt=/{PATH_TO_FILE}
/ca.crt
-
Open the values.yaml file for your data plane and update it to point to the
new secrets.
Update the secretVolumes section:
secretVolumes:
- kong-cluster-cert2
- kong-cluster-ca2
Update the cert values in the env section:
env:
cluster_ca_cert: /etc/secrets/kong-cluster-ca2/ca.crt
cluster_cert: /etc/secrets/kong-cluster-cert2/tls.crt
cluster_cert_key: /etc/secrets/kong-cluster-cert2/tls.key
lua_ssl_trusted_certificate: /etc/secrets/kong-cluster-ca2/ca.crt
-
Save the file. Reapply the configuration by running the Helm upgrade
command:
helm upgrade my-kong kong/kong -n kong \
--values ./values.yaml
-
Delete the old secrets.
The kong-cluster-cert secret:
kubectl delete secret kong-cluster-cert
And the kong-cluster-ca secret:
kubectl delete secret kong-cluster-ca
In your Docker container, replace existing certificates on your data planes
with the new files and restart the Gateway:
echo "KONG_CLUSTER_CERT=/{PATH_TO_FILE}
/tls.crt \
KONG_CLUSTER_CERT_KEY=/{PATH_TO_FILE}
/tls.key \
KONG_LUA_SSL_TRUSTED_CERTIFICATE=/{PATH_TO_FILE}
/ca.crt \
kong reload exit" | docker exec -i {KONG_CONTAINER_ID}
/bin/sh
Clean up by deleting any old certificate and key files on your filesystem.
