Revert SSL from ELB to KOTS Admin

Jason De Paola
Jason De Paola
  • Updated

Author: Jason De Paola

Date: June 13, 2024

Audience: Everyone

Environment: Self-hosted Administration on the KOTS channel

Issue

SSL was set up using an external load balancer. These steps outline the process for switching back to KOTS admin without SSL.

Solution

Backup the working proxy of the application server:

kubectl get proxy nginx -o yaml > oldProxy.yaml

Run:

kubectl delete proxy nginx

 

Create a file, e.g., called newProxy.yaml, and use the data below, replacing the entry on the last line "fqdn" with your fqdn.

 

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  annotations:
    kots.io/app-slug: jama-k8s
    meta.helm.sh/release-name: application
    meta.helm.sh/release-namespace: default  
  labels:
    app.kubernetes.io/instance: application
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: nginx
    app.kubernetes.io/version: 8.25.3
    helm.sh/chart: nginx-0.0.0
    kots.io/app-slug: jama-k8s
    kots.io/backup: velero
  name: nginx
  namespace: default  
spec:
  ingressClassName: contour
  routes:
  - conditions:
    - prefix: /
    requestHeadersPolicy:
      set:
      - name: X-Real-IP
        value: '%DOWNSTREAM_REMOTE_ADDRESS%'
      - name: X-Jama-Tenant
        value: jama
      - name: x-forwarded-proto
        value: https
    responseHeadersPolicy:
      set:
      - name: Strict-Transport-Security
        value: max-age=31536000
    services:
    - name: core
      port: 80
    timeoutPolicy:
      idle: infinity
      response: infinity
  - conditions:
    - prefix: /saml/
    requestHeadersPolicy:
      set:
      - name: X-Real-IP
        value: '%DOWNSTREAM_REMOTE_ADDRESS%'
      - name: X-Jama-Tenant
        value: jama
    responseHeadersPolicy:
      set:
      - name: Strict-Transport-Security
        value: max-age=31536000
    services:
    - name: saml
      port: 8888
    timeoutPolicy:
      idle: infinity
      response: infinity
  - conditions:
    - prefix: /saml/login.req
    requestHeadersPolicy:
      set:
      - name: x-forwarded-proto
        value: https
      - name: X-Real-IP
        value: '%DOWNSTREAM_REMOTE_ADDRESS%'
      - name: X-Jama-Tenant
        value: jama
    responseHeadersPolicy:
      set:
      - name: Strict-Transport-Security
        value: max-age=31536000
    services:
    - name: core
      port: 80
    timeoutPolicy:
      idle: infinity
      response: infinity
  - conditions:
    - prefix: /help/
    pathRewritePolicy:
      replacePrefix:
      - replacement: /help-onpremises/
    requestHeadersPolicy:
      set:
      - name: X-Real-IP
        value: '%DOWNSTREAM_REMOTE_ADDRESS%'
      - name: X-Jama-Tenant
        value: jama
    responseHeadersPolicy:
      set:
      - name: Strict-Transport-Security
        value: max-age=31536000
    services:
    - name: core
      port: 80
    timeoutPolicy:
      idle: infinity
      response: infinity
  - conditions:
    - prefix: /services/diff
    requestHeadersPolicy:
      set:
      - name: X-Real-IP
        value: '%DOWNSTREAM_REMOTE_ADDRESS%'
      - name: X-Jama-Tenant
        value: jama
    responseHeadersPolicy:
      set:
      - name: Strict-Transport-Security
        value: max-age=31536000
    services:
    - name: diff
      port: 80
    timeoutPolicy:
      idle: infinity
      response: infinity
  virtualhost:
    fqdn: jama.contoso.com

 

Run:

kubectl apply -f newProxy.yaml


Check the status of the changes running:

kubectl get proxy

The prior command should show something like Valid HTTPProxy

 

If, for some reason, the access to the application fails after running the previous process, run these:

 

kubectl delete proxy nginx

kubectl apply -f oldProxy.yaml


Note: If something new is deployed/redeployed using the KOTS admin console, steps 2 and 3 must be executed again.

 

 

 

Related to

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.