Automatically Apply license and SSL certificates for App Manager + Embedded Cluster (KOTS)

Another great question

When using the Native Scheduler, we had a way to spin up a fully installed instance with an SSL cert applied, a license uploaded, and the app installed and running. Is there a similar way to do this for KOTS?

License and App Config

For embedded installations, you can make use of the kubectl kots CLI that comes pre-baked on embedded installations. There’s an example in the automating existing cluster install documentation. For an embedded cluster, you can use the same command after the curl | sudo bash has completed. For embedded clusters, the namespace should always be default instead of app-name as in the example.

kubectl kots install $APP_NAME \
  --namespace default \
  --shared-password password \
  --license-file ./license.yaml \
  --config-values ./configvalues.yaml \

SSL Certificate

The SSL certificate can be pre-loaded after the kURL install completes by patching the secret generated. Based on this handy thread, the easiest way to do this if you have the cert files tls.crt and tls.key handy is:

kubectl create secret generic kotsadm-tls \
--save-config \
--dry-run=client \
--from-file=./tls.key --from-file=./tls.crt \
-o yaml | \
kubectl apply -f -

Although there are a few alternatives listed there as well if you, for example, have the cert and key available as base64 encoded environment variables instead of files.

Some other related documentation on this can be found in Uploading new TLS certs.

This would be great for us! We instruct our customers to install with the Kubernetes Installer, curl -sSL | sudo bash. This is how we’re automating spinning up instances in house as well.

I tested using the kots commands (following docs and what you describe above) to automate applying a license, but that installs another admin console/app as I expected… How can I apply the license when we install our app with the “kubernetes installer” method?

Are you using the correct APP_SLUG and license? The app_slug will only be relevant to show the initial ico. The license will be defining the actual application that gets installed.