Automatically Apply license and SSL certificates for App Manager + Embedded Cluster (KOTS)

Another great question

When using the Native Scheduler, we had a way to spin up a fully installed instance with an SSL cert applied, a license uploaded, and the app installed and running. Is there a similar way to do this for KOTS?

License and App Config

For embedded installations, you can make use of the kubectl kots CLI that comes pre-baked on embedded installations. There’s an example in the automating existing cluster install documentation. For an embedded cluster, you can use the same command after the curl https://k8s.kurl.sh/... | sudo bash has completed. For embedded clusters, the namespace should always be default instead of app-name as in the example.

kubectl kots install $APP_NAME \
  --namespace default \
  --shared-password password \
  --license-file ./license.yaml \
  --config-values ./configvalues.yaml \
  --no-port-forward

SSL Certificate

The SSL certificate can be pre-loaded after the kURL install completes by patching the secret generated. Based on this handy thread, the easiest way to do this if you have the cert files tls.crt and tls.key handy is:

kubectl create secret generic kotsadm-tls \
--save-config \
--dry-run=client \
--from-file=./tls.key --from-file=./tls.crt \
-o yaml | \
kubectl apply -f -

Although there are a few alternatives listed there as well if you, for example, have the cert and key available as base64 encoded environment variables instead of files.

Some other related documentation on this can be found in Uploading new TLS certs.