Using a ManagementSecretRotation CR to update the management CA

About this task

Applying the ManagementSecretRotation CR (Custom Resource) is an alternative method for renewing the management_CR-ca and its dependencies, and then restarting the dependent pods. This option applies only to the management_CR-ca.

Restriction: The ManagementSecretRotation CR can only be used with a stand-alone deployment using a single data center. Do not attempt to use it with a two data center configuration or a Cloud Pak for Integration deployment.

Procedure

  1. Create a ManagementSecretRotation CR (for example, operationcr.yaml) with contents similar to the following example: 
    apiVersion: management.apiconnect.ibm.com/v1beta1
kind: ManagementSecretRotation
metadata:
  name: rotate-issuer
spec:
  managementCluster: management_CR_name
  rotateCertificates:
    certificates:
    - management_CR-ca

    where management_CR_name is the name of the management CR that the system was deployed with.

  2. Apply the CR by running the following command: 
    kubectl create -f operationcr.yaml -n namespace

    where:

    • namespace is the namespace where you installed the Management subsystem
    • operationcr.yaml is the file the contains the CR

    Applying the CR updates the management_CR-ca, along with any certificates that are signed by it. To view a list of the updated certificates, run the following command and check the status block of the CR:

    kubectl get managementsecretrotation rotate-issuer -n namespace

    In the command, replace namespace with the namespace where you installed the Management subsystem.