Use Kubernetes cert-manager to renew the issuers, CA certificates, and derived
certificates that it manages for your API Connect
deployment.
Before you begin
Kubernetes cert-manager can only renew the certificates that it stores and manages. If you
created custom certificates using a different application, you must renew them manually.
If you configured automatic renewal of certificates with cert-manager, you must still restart the
pods affected by the updated certificates. For more information, see Automatic renewal with cert-manager.
For lists of the different certificates used in an API Connect deployment, see
the following topics:
About this task
The following steps explain how to renew certificates using Kubernetes cert-manager. The
instructions also apply to renewing internal certificates on VMware. For information on renewing
other certificates on VMware, see Renewing certificates on VMware.
If you are using a single data center configuration with a stand-alone API Connect deployment,
you can update the CA certificate for the following subsystems using the appropriate secret-rotation CR:
The CA certificate for the Analytics and Gateway subsystems can only be updated using step 2 in
the following procedure.
Beginning with version 10.0.2, the end certificates (issued by the cert-manager), have a default
duration of 2 years, and the CA certificates have a default duration of 10 years.
Procedure
-
VMware only: Connect to the virtual machine as the API Connect administrator by completing the
following steps:
-
Run the following command to connect as the API Connect administrator, replacing
ip_address
with the appropriate IP address:
ssh ip_address -l apicadm
-
When prompted, select Yes to continue connecting.
-
When you are connected, run the following command to receive the necessary permissions for
working directly on the appliance:
-
To renew a CA certificate or an issuer (for example,
ingress-ca
,
management_CR-ca
,
analytics_CR-ca
, or
portal_CR-ca
), complete the following steps:
-
Run the following command to list of all the certificate names, with the status and the date
and time of the last update for each certificate:
kubectl get certificate -o wide
- Add the
duration
and renewBefore
fields if
needed.
If the certificate was generated in a version of API Connect earlier than 10.0.1.2, it might not
include these fields. Before you renew the certificate, add the fields by completing the following
steps:
- Run the following command to open the
ingress-ca
certificate for
editing:kubectl -n <namespace> edit certificate ingress-ca
- Add the
duration
and renewBefore
fields under the
spec
field as shown in the following example: .
.
.
spec:
duration: 87600h # 10 years
renewBefore: 720h # 30 days
.
.
.
- Save the certificate and then exit the editor.
-
Run the following command to renew the CA certificate:
kubectl get certificate certificate_name -o=jsonpath='{.spec.secretName}' | xargs kubectl delete secret
where certificate_name
is the name of the CA certificate that
you want to renew, and will be one of the following: ingress-ca
,
management_CR-ca
,
analytics_CR-ca
, or
portal_CR-ca
.
-
Proceed to step 3 and renew each of the end-entity certificates that were issued by the
Cert-Manager Issuer based on the CA certificate.
-
Renew an end-entity certificate by running the following command:
kubectl get certificate certificate_name -o=jsonpath='{.spec.secretName}' | xargs kubectl delete secret
where certificate_name
is the name of the certificate that
you want to renew.
Refer to the following topics to see the list of certificates that need renewing based on the CA
certificate that you renewed in step 1:
-
For each updated certificate, restart all of the pods that are affected by that
certificate.
To see which pods are affected by each certificate, see the following topics:
Then, see the following topics for instructions for restarting pods:
- Management subsystem: restarting pods
- Gateway subsystem: restarting pods
- Analytics subsystem: restarting endpoints and pods
- Portal subsystem: restarting pods
for a two data center configuration or Cloud Pak for
Integration
If you are using a single data center configuration
with a stand-alone API Connect deployment, the Portal subsystem pods pick up the new certs and
restart any internal processes automatically. Changing the portal-server or portal-client
certificates will be a zero downtime operation. However, changing the portal-ca certificate will
cause downtime because all portal-db pods need to restart MySQL to allow for the certificate to
update. The pods will not restart, but they will all go non-ready and then ready again, which will
take a few minutes.
Note: Due to a known issue, when the
ingress-ca
is renewed, it is possible that
Analytics in the Developer Portal might stop working. If this happens, complete
the following steps to ensure that certificate changes take effect:
- Log in to the Cloud Manager user interface.
- In the navigation list, click Topology.
- Edit the Analytics service.
- On the Analytics page, edit the Summary field to force a change; for
example, by adding a space to the end of a sentence.
- Click Save.
- If you have subsystems in different namespaces, you need to update the renewed CA secrets
to be the same those namespaces. The following example shows how to do this for the
ingress-ca
where the gateway is in a different namespace:
- Export the management namespace
ingress-ca
secret as a
yaml:kubectl -n <management namespace> get secret ingress-ca -o yaml > ingress-ca.yaml
- Edit the
ingress-ca.yaml
file to remove all annotations
,
labels
, creationTimestamp
, managedFields
,
manager
, operation
, time
,
resourceVersion
, selfLink
, and uid
. Update the
namespace
field to that of your gateway namespace.
- Apply the updated the
ingress-ca.yaml
in the namespace of the other subsystem:
kubectl -n <gateway namespace> apply -f ingress-ca.yaml
- Use the following commands to confirm that the ingress-ca certificates are the same, in both
namespaces
run:
kubectl -n <management namespace> get secrets ingress-ca -o yaml | grep tls.crt | grep -v 'f:tls' | awk '{print $2}' | base64 -d > /tmp/ingress.pem.dc1
kubectl -n <gateway namespace> get secrets ingress-ca -o yaml | grep tls.crt | grep -v 'f:tls' | awk '{print $2}' | base64 -d > /tmp/ingress.pem.dc2
- To see the differences
run:
diff /tmp/ingress.pem.dc1 /tmp/ingress.pem.dc2
The files should be the
same.
- Repeat steps 3 and 4 to renew the end-entity certificates in the other namespace.