api.croplands.org (and its server.croplands.org alias) runs on the
dk8s cluster in the croplands namespace.
The kubernetes configuration contained in k8s does not include 3 secrets: server-croplands-tls and api-croplands-org-tls, which contain the TLS certificate pair for the site; and croplands-api, which contains the following environment variables:
GOOGLE_SERVICE_ACCOUNT_ENC
SQLALCHEMY_DATABASE_URI
REDIS_URL
POSTMARK_API_KEY
SECRET
SERVER_ADDRESS
DG_EV_CONNECT_ID
DG_EV_USERNAME
DG_EV_PASSWORD
GS_ACCESS_KEY
GS_SECRET
SSL_CERT_FILE
REQUESTS_CA_BUNDLE
To update the tls secret (DO FOR api.croplands.org AND server.croplands.org):
- Obtain updated cert from digicert (api.croplands.org.crt here)
- Grab the private key from the existing secret:
$ kubectl get secret api-croplands-org-tls -o jsonpath='{.data.tls\.key}' | base64 -d > tls.key
- Careful, double check the previous command was successful. Then delete the existing secret:
$ kubectl delete secret api-croplands-org-tls
- Re-create the secret with the updated cert
$ kubectl create secret tls --key=tls.key --cert=api.croplands.org.crt
- Restart the service
$ kubectl delete po -l app=croplands-api
To update the config:
- Grab the existing config from the cluster
$ kubectl get secret croplands-api -o yaml > secret.yml
- Base64-encode the new value. For example, changing REDIS_URL
$ printf 'redis://redis.my.domain:6379' | base64
cmVkaXM6Ly9yZWRpcy5teS5kb21haW46NjM3OQ==
- Take the output from the previous command and update the value in secret.yml
# secret.yml
apiVersion: v1
data:
...
REDIS_URL: cmVkaXM6Ly9yZWRpcy5teS5kb21haW46NjM3OQ==
...
kind: Secret
metadata:
creationTimestamp: "2020-04-20T16:32:31Z"
name: croplands-api
namespace: croplands
resourceVersion: "22676294"
selfLink: /api/v1/namespaces/croplands/secrets/croplands-api
uid: a1ebedcc-9ca1-4dc9-8c40-2c27d798c58d
type: Opaque- Update the secret on the cluster
$ kubectl apply -f secret.yml
- Restart the service
$ kubectl delete po -l app=croplands-api