Renewing the management-ca with the ManagementSecretRotation CR

Use the ManagementSecretRotation CR to renew the management-ca certificate and all end-entity certificates that management-ca signs.

About this task

Applying the ManagementSecretRotation CR (Custom Resource) is the recommended method for renewing the management-ca and all its end-entity certificates. The alternative method is to manually renew the management-ca certificate and then each of its end-entity certificates, which you can identify from the certificates table Management certificates.

Restriction: The ManagementSecretRotation CR is for use with a single data center deployment. Do not attempt to use it with a two data center disaster recovery deployment. See Renewing certificates in a two data center deployment on Kubernetes and OpenShift.

Procedure

  1. Create a file called management_cert_rotate.yaml and paste in the following contents: 
    apiVersion: management.apiconnect.ibm.com/v1beta1
kind: ManagementSecretRotation
metadata:
  name: mgmt-rotate-issuer
spec:
  managementCluster: <management CR name>
  rotateCertificates:
    certificates:
    - <management CR name>-ca
    where <management CR name> is the name of your ManagementCluster CR. You can identify this name with: 
    kubectl get ManagementCluster -n <management namespace>
  2. Apply the CR by running the following command: 
    kubectl create -f management_cert_rotate.yaml -n <management namespace>

    Applying the CR updates the management-ca, and all end-entity certificates that management-ca signs. To view a list of the renewed certificates, run the following command:

    kubectl describe ManagementSecretRotation mgmt-rotate-issuer -n <management namespace>
    The status block in the command output shows the renewed certificates:
    Status:
...
  Phase:                   Completed
  Rotated Certs:
    def-management-ca
    def-management-client
    def-management-db-client-postgres
    def-management-natscluster-mgmt
    def-management-site1-postgres
    def-management-db-client-apicuser
    def-management-server
  State:  1/1
...
  3. When certificate rotation is successfully completed, delete the ManagementSecretRotation CR.
    Confirm that certificate rotation is finished with the command:
    kubectl get ManagementSecretRotation mgmt-rotate-issuer -n <management namespace>
    The output should show Completed:
    NAME                 READY   STATUS      AGE
mgmt-rotate-issuer   1/1     Completed   6m52s
    Then delete the CR:
    kubectl delete ManagementSecretRotation mgmt-rotate-issuer -n <management namespace>