Update Domain Name (DNS) of Platform¶
This guide covers the procedure for changing the domain name (DNS) of your Traceable Platform.
Overview¶
You may need to update the platform DNS when:
- Migrating to a new domain
- Changing from temporary to production domain
- Organizational domain changes
Important: This is a multi-step process that affects multiple components. Follow all steps carefully.
Prerequisites¶
- Access to the Traceable Operator (TI) UI
- Access to Keycloak admin console
- New TLS certificates for the new domain (or ability to generate self-signed)
- DNS records configured for the new domain
Step 1: Update DNS in TI¶
- Login to the Traceable Operator
- Navigate to Global Variables
- Update the DNS field with the new domain name
- Save the changes
Step 2: Update Certificate¶
Choose one of the following options:
Option 1: Generate Self-Signed Certificate¶
- Navigate to Tasks → GenerateTlsCerts → generate_self_signed_certs
- Run the task to generate new self-signed certificates for the new DNS
Option 2: Upload CA-Signed Certificate¶
- Navigate to Tasks → GenerateTlsCerts → upload_install_tls_certs
- Upload your CA-signed certificate files:
- Private key
- Server certificate (with intermediate and root certs)
- Root CA certificate
Reference: See Update Certificates for detailed certificate requirements.
Step 3: Update Keycloak¶
Update Frontend URL¶
- Login to Keycloak:
https://<new-dns>/auth- Username:
keycloak - Password: (from TI Global Variables)
- Username:
- Select Traceable realm
- Go to Realm Settings
- Update the Frontend URL to the new DNS
- Click Save
Update Client Redirect URIs¶
- In Keycloak, go to Clients
- Select iam-client
- Update the DNS in Valid Redirect URIs
- Click Save
Step 4: Update TI (Upgrade Operator)¶
- Navigate to Installer → Upgrade → Upgrade Operator
- Set the version to your current installer version (e.g.,
0.1.164) - Add Additional Args:
Note: --set ingress.altDns[0]=<old-dns> is optional but recommended for transition period.
- Execute the upgrade
Handling 405 Error¶
If you see the following error after the upgrade:
<html> <head><title>405 Not Allowed</title></head> <body>
<center><h1>405 Not Allowed</h1></center>
<hr><center>nginx/1.26.0</center> </body> </html>
Solution: Open a new browser tab and login to the TI using the new DNS.
Step 5: Trigger Reinstall Workflow¶
- Navigate to Installer → Install Workflow
- Review the Install/Skip status of items
- Click Next → Next → Start Installer
- Wait for the workflow to complete
Post-Installation Tasks¶
Clean Old Secrets¶
- Navigate to Installer → Namespaces → Traceable → Browser → All Namespaces → Secrets
- Delete secrets that contain the old DNS name
Validate Ingress Configuration¶
- Navigate to Installer → Namespaces → Traceable → Browser → All Namespaces → Ingress
- Verify all ingresses are updated with the correct DNS
If you added altDns: Remove the additional ingress entry for traceable-installer ingress.
Regenerate Agent Token¶
- Login to the Platform UI using the new DNS
- Navigate to Settings → Access Tokens
- Generate a new Agent Token
- Update TPA configuration with:
- New Agent Token
- New DNS endpoint
Update Platform Agent Certificate¶
If using self-signed or private CA certificates, update the TPA to trust the new certificate chain.
Update SSO Integration¶
If using SAML or other SSO:
- Update the redirect URIs in your Identity Provider
- Update any SAML metadata with the new DNS
Update External Integrations¶
Update the DNS and tokens in any external integrations:
- Webhooks
- API integrations
- Monitoring systems
- CI/CD pipelines
Verification¶
After completing all steps:
- Access Platform:
- Verify TI Access:
-
Test Login: Verify authentication works correctly
-
Check TPA Connection: Verify agents can connect with new DNS
-
Test API Calls: Verify API tokens work with new endpoint
Troubleshooting¶
Cannot Access Platform After DNS Change¶
Symptoms: Connection refused or timeout on new DNS.
Solutions:
- Verify DNS records are properly configured
- Check ingress status:
- Verify TLS certificates are valid for new DNS
- Check firewall rules allow traffic to new DNS
Keycloak Redirect Issues¶
Symptoms: Login redirects to old DNS or fails.
Solutions:
- Verify Frontend URL is updated in Keycloak
- Verify Valid Redirect URIs include new DNS
- Clear browser cache and cookies
- Check Keycloak logs for errors
TPA Cannot Connect¶
Symptoms: Agents show disconnected after DNS change.
Solutions:
- Regenerate Agent Token from new DNS
- Update TPA configuration with new DNS and token
- If using self-signed certs, update TRACEABLE_ROOT_CA_FILE
- Restart TPA service
SSO Login Fails¶
Symptoms: SAML authentication fails after DNS change.
Solutions:
- Update redirect URIs in Identity Provider
- Update SAML metadata if required
- Verify Keycloak SAML configuration
- Check IAM logs for errors
Rollback Procedure¶
If you need to rollback to the old DNS:
- Revert DNS in TI Global Variables
- Restore old certificates (if changed)
- Revert Keycloak Frontend URL and Redirect URIs
- Run Upgrade Operator with old DNS:
- Trigger reinstall workflow
- Regenerate tokens and update agents
Related Documentation¶
Support¶
For DNS update assistance, contact: support@harness.io
Provide the following information:
- Old and new DNS names
- Error messages encountered
- Ingress configuration
- Keycloak configuration screenshots