If you are using the current version of Cumulus NetQ, the content on this page may not be up to date. The current version of the documentation is available here. If you are redirected to the main page of the user guide, then this page may have been renamed; please search for it there.

Post Installation Configuration Options

This topic describes how to configure deployment options that you can perform only after you finish installing or upgrading NetQ.

Install a Custom Signed Certificate

The NetQ UI ships with a self-signed certificate that is sufficient for non-production environments or cloud deployments. For on-premises deployments, however, you receive a warning from your browser that this default certificate is not trusted when you first log in to the NetQ UI. You can avoid this by installing your own signed certificate.

You need the following items to perform the certificate installation:

  • A valid X509 certificate.

  • A private key file for the certificate.

  • A DNS record name configured to access the NetQ UI.

    The FQDN should match the common name of the certificate. If you use a wild card in the common name — for example, if the common name of the certificate is *.example.com — then the NetQ telemetry server should reside on a subdomain of that domain, accessible via a URL like netq.example.com.

  • NetQ is running.

    You can verify this by running the netq show opta-health command.

You can install a certificate using the NetQ CLI.

  1. Log in to the NetQ On-premises Appliance or VM via SSH and copy your certificate and key file there.

  2. Generate a Kubernetes secret called netq-gui-ingress-tls.

    cumulus@netq-ts:~$ kubectl create secret tls netq-gui-ingress-tls \
        --namespace default \
        --key <name of your key file>.key \
        --cert <name of your cert file>.crt
  3. Verify that you created the secret successfully.

    cumulus@netq-ts:~$ kubectl get secret
    NAME                               TYPE                                  DATA   AGE
    netq-gui-ingress-tls               kubernetes.io/tls                     2      5s
  4. Update the ingress rule file to install self-signed certificates.

    1. Create a new file called ingress.yaml.

    2. Copy and add this content to the file.

      apiVersion: extensions/v1beta1
      kind: Ingress
          kubernetes.io/ingress.class: "ingress-nginx"
          nginx.ingress.kubernetes.io/ssl-redirect: "true"
          nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
          nginx.ingress.kubernetes.io/proxy-connect-timeout: "3600"
          nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
          nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
          nginx.ingress.kubernetes.io/proxy-body-size: 10g
          nginx.ingress.kubernetes.io/proxy-request-buffering: "off"
        name: netq-gui-ingress-external
        namespace: default
        - host: <your-hostname>
            - backend:
                serviceName: netq-gui
                servicePort: 80
        - hosts:
          - <your-hostname>
          secretName: netq-gui-ingress-tls
    3. Replace <your-hostname> with the FQDN of the NetQ On-premises Appliance or VM.

  5. Apply the new rule.

    cumulus@netq-ts:~$ kubectl apply -f ingress.yaml
    ingress.extensions/netq-gui-ingress-external configured

    A message like the one here appears if your ingress rule is successfully configured.

Your custom certificate should now be working. Verify this by opening the NetQ UI at https://<your-hostname-or-ipaddr> in your browser.

If you already have a certificate installed and want to change or update it, run the kubectl delete secret netq-gui-ingress-tls [name] --namespace default command.

Update Your Cloud Activation Key

You use the cloud activation key (called the config-key) to access the cloud services, not the authorization keys you use for configuring the CLI. NVIDIA provides the key when you set up your premises.

On occasion, you might want to update your cloud service activation key. For example, if you mistyped the key during installation and now your existing key does not work, or you received a new key for your premises from NVIDIA.

Update the activation key using the NetQ CLI:

Run the following command on your standalone or master NetQ Cloud Appliance or VM replacing text-opta-key with your new key.

cumulus@<hostname>:~$ netq install standalone activate-job config-key <text-opta-key>

Add More Nodes to Your Server Cluster

Add More Nodes Using the CLI

You can add additional nodes to your server cluster on-premise and cloud deployments using the CLI:

Run the following CLI command to add a new worker node for on-premise deployments:

netq install cluster add-worker <text-worker-01>

Run the following CLI command to add a new worker node for cloud deployments:

netq install opta cluster add-worker <text-worker-01>