TLS and Ingress: Accessing NetBox Enterprise

NetBox Enterprise Installs

Ingress

The NetBox Enterprise installation provides its own ingress controller. No additional configuration is required to reach NetBox on HTTP and HTTPS.

TLS

Configuration

When you first install NetBox Enterprise and log into the Admin Console, it asks you to configure the TLS certificate. By default, it will generate a self-signed certificate, but you are able to instead upload private key and certificate chain files.

This key and certificate chain are used for any TLS connections to the cluster, whether it's the Admin Console (on port 30000) or the main NetBox interface (on port 443).

Key Replacement/Rotation

If you configured your Admin Console to use a self-signed certificate on install and wish to replace it with your own key, or if you have an existing custom key that needs rotation, you can follow these steps to do so.

Note

Ensure you have your private key and a full certificate chain in PEM format. If you're using Let's Encrypt, this will be the privkeyXX.pem and fullchainXX.pem files. For other certificate providers, consult their documentation.

First, access the NetBox Enterprise shell:

/var/lib/embedded-cluster/bin/netbox-enterprise shell

Then, delete the old secret and create the new one, providing the path to your chain and key files:

kubectl -n kotsadm delete secret kotsadm-tls && \
kubectl -n kotsadm create secret tls kotsadm-tls --cert=/path/to/cert.pem --key=/path/to/key.pem

Finally, delete the proxy and ingress pods, so they relaunch with the new configuration:

NGINX_POD="$(kubectl -n ingress-nginx get pods --selector='app.kubernetes.io/name=ingress-nginx' -o name)"
PROXY_POD="$(kubectl -n kotsadm get pods --selector='app==kurl-proxy-kotsadm' -o name)"
kubectl -n ingress-nginx delete "${NGINX_POD}" && \
kubectl -n kotsadm delete "${PROXY_POD}"