Refreshing authentication certificates
You can refresh authentication certificates in your IBM Cloud Private environment.
You can refresh the following certificates:
- etcd
- Kubernetes front proxy
- Helm tiller
- IPsec
- Router
Before you begin:
- Ensure that your IBM Cloud Private cluster is running.
- When you create a new secret, do not change the
cluster_CA_domain
parameter for your cluster.
Note: When you run the command to replace a certificate, the related management services might be unavailable for a short duration of time. The command has no impact on the applications in your cluster.
Refresh certificates
- Log in to the boot node as a cluster admin.
-
Change the location to the
cluster/cfc-certs
directory.cd <installation_directory>/cluster/cfc-certs
-
Back up the certificate that you want to replace and move it to another location. See the following example:
mv etcd etcd.bak
-
Change to the
cluster
directory.cd ..
-
Run the following command to replace the certificate:
docker run -t --net=host -v $(pwd):/installer/cluster -e LICENSE=accept ibmcom/icp-inception-$(uname -m | sed 's/x86_64/amd64/g'):3.1.1-ee replace-certificates -v
Replace the existing certificate with your own certificate
-
Generate a new router certificate key pair.
Note: You must replacemycluster.icp
with your owncluster_CA_domain
that you configured in the<installation_directory>/cluster/config.yaml
file.openssl req -newkey rsa:4096 -sha256 -nodes -keyout icp-router.key -x509 -days 36500 -out icp-router.crt -subj "/C=US/ST=California/L=Los Angeles/O=Your Domain Inc/CN=mycluster.icp"
-
Log in to the boot node as a cluster admin.
-
Change the location to the
cluster/cfc-certs
directory.cd <installation_directory>/cluster/cfc-certs
-
Back up the router certificate.
cp -r router router.bak
-
Replace
router/icp-router.key
androuter/icp-router.crt
with your own key pair and certificate that you generated in step 1. -
Change to the
cluster
directory.cd ..
-
Run the following command to replace the certificate:
docker run -t --net=host -v $(pwd):/installer/cluster -e LICENSE=accept ibmcom/icp-inception-$(uname -m | sed 's/x86_64/amd64/g'):3.1.1-ee replace-certificates -v
Restore old certificate
- Log in to the boot node as a cluster admin.
-
Change the location to the
cluster/cfc-certs
directory.cd <installation_directory>/cluster/cfc-certs
-
Remove the existing certificate. See the following example:
rm router
-
Rename the backup file to the original name.
cp -r router.bak router
- Run the following command to replace the certificate:
docker run -t --net=host -v $(pwd):/installer/cluster -e LICENSE=accept ibmcom/icp-inception-$(uname -m | sed 's/x86_64/amd64/g'):3.1.1-ee replace-certificates -v
- Run the following command to replace the certificate:
Create a new certificate authority (CA)
-
Create the certificate. The certificate key is exported in PEM(OpenSSL) format. For example, to create a self-signed certificate with the domain name
mycluster.icp
, run the following command:openssl genrsa -out icp-router.key 4096 openssl req -new -key icp-router.key -out icp-router.csr -subj "/CN=mycluster.icp" openssl x509 -req -CA /etc/cfc/conf/ca.crt -CAkey /etc/cfc/conf/ca.key -CAcreateserial -in icp-router.csr -out icp-router.crt
This command creates two certificates in your current working directory:
icp-router.key
andicp-router.crt
.
Update secret router-certs
-
Delete old secret router-certs.
kubectl delete secret router-certs -n kube-system
The output resembles the following code:
secret "router-certs" deleted
-
Create new secret router-certs.
kubectl create secret tls router-certs --cert=icp-router.crt --key=icp-router.key -n kube-system
The output resembles the following code:
secret "router-certs" created
Replace the authentication certificate for the IBM Cloud Private management console
-
Restart the management-ingress pod.
kubectl get pods -n kube-system | grep icp-management-ingress
The output resembles the following code:
icp-management-ingress-8zfps 1/1 Running 0 30m
Delete the image-manager pod.
kubectl delete pods -n kube-system icp-management-ingress-8zfps
The output resembles the following code:
pod "icp-management-ingress-8zfps" deleted
-
When the icp-management-ingress pod is back in a running state, log in to the IBM Cloud Private management console.
Replacing the authentication certificate for the image manager
-
Update the image registry cacert file. On all master nodes, copy the
icp-router.crt
asca.crt
to the directory that stores the image registry certificates. In this example, the directory that stores the image registry certificates is/etc/docker/certs.d/mycluster.icp:8500
.cp icp-router.crt /etc/docker/certs.d/mycluster.icp\:8500/ca.crt
-
Restart the image-manager pod.
kubectl get pods -n kube-system | grep image-manager
The output resembles the following code:
image-manager-0 2/2 Running 0 11h
Delete image-manager pod.
kubectl delete pods -n kube-system image-manager-0
The output resembles the following code:
pod "image-manager-0" deleted
-
When the image-manager pod is back in a running state, login to the image registry.
docker login mycluster.icp:8500
The output resembles the following code:
Username (admin): admin Password: Login Succeeded