Preparing your active data center
Create the secrets, certificates, and issuers that are needed for your active data center to replicate with the warm-standby.
About this task
All operations are done on the CLI, in the 2dcdr-active-yamls
directory you created in Planning and initial preparation.
In the yaml files and commands that are shown here, replace
<apic-instance-name>
with the name you intend to use for your API Connect
Cluster CR, and <namespace>
with your API Connect namespace name (which will be
the same for both Management and Portal subsystems). As decided in Planning and initial preparation.
Procedure
- Deploy the cert-manager.
- Create a file that is called
cert-manager.yaml
and paste in the following contents:apiVersion: operator.ibm.com/v1alpha1 kind: OperandRequest metadata: name: ibm-apiconnect spec: requests: - operands: - name: ibm-cert-manager-operator registry: common-service registryNamespace: ibm-common-services
- Apply this yaml file with:
oc apply -f cert-manager.yaml -n <namespace>
- Confirm that the cert-manager is
deployed:
oc get deploy -n ibm-common-services | grep ibm-cert-manager-operator
- Wait for the cert-manager deployment to
become available:
oc wait --for=condition=available deployment.apps/ibm-cert-manager-operator -n ibm-common-services --timeout=900s
- Wait for the three cert-manager pods and operator
to be in running state:
oc get pods -n ibm-common-services | grep cert cert-manager-cainjector-566b5d5698-pzccn 1/1 Running 0 18m cert-manager-controller-766ddff8c4-ftr85 1/1 Running 0 18m cert-manager-webhook-79bb8f67b7-gvkst 1/1 Running 0 18m ibm-cert-manager-operator-fdfd66bd4-6rrz6 1/1 Running 0 19m
- Create a file that is called
-
Create the encryption key secrets for the Management and Portal subsystems.
- Run the following command to create a file that contains a random string, which is
used to create the management encryption key secret:
cat /dev/urandom | head -c63 | base64 -w0 > mgmt-enc-key.txt
- Run the following command to create the management encryption
key secret:
oc create secret generic mgmt-encryption-key --from-file=encryption_secret.bin=mgmt-enc-key.txt -n <management namespace>
- Confirm that the secret was created successfully by
running:
oc get secrets -n <management namespace> | grep mgmt-encryption-key mgmt-encryption-key Opaque 1 83s
- Run the following command to create a file that contains a random string, which is
used to create the portal encryption key secret:
cat /dev/urandom | head -c63 | base64 -w0 > ptl-enc-key.txt
- Run the following command to create the portal encryption
key secret:
oc create secret generic ptl-encryption-key --from-file=encryption_secret=ptl-enc-key.txt -n <portal namespace>
- Confirm that the secret was created successfully by
running:
oc get secrets -n <portal namespace> | grep ptl-encryption-key ptl-encryption-key Opaque 1 15s
- Run the following command to create a file that contains a random string, which is
used to create the management encryption key secret:
- Create a self-signed issuer.
- Create a file that is called
issuer.yaml
and paste in the following contents, replacing<apic-instance-name>
:apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: <apic-instance-name>-self-signed spec: selfSigned: {}
- Apply this yaml file with:
oc apply -f issuer.yaml -n <namespace>
- Verify that the issuer was created with:
oc get issuer -n <namespace> NAME READY AGE apic-self-signed True 25s
- Create a file that is called
- Create an ingress-ca certificate:
- Create a file that is called
self-signed-issuer-cert.yaml
and paste in the following contents, replacing<apic-instance-name>
:apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: <apic-instance-name>-ingress-ca spec: commonName: ingress-ca duration: 87600h0m0s isCA: true issuerRef: kind: Issuer name: <apic-instance-name>-self-signed renewBefore: 720h0m0s privateKey: rotationPolicy: Always secretName: <apic-instance-name>-ingress-ca
- Apply this yaml file with:
oc apply -f self-signed-issuer-cert.yaml -n <namespace>
- Verify that the certificate was created with:
oc get cert -n <namespace> NAME READY SECRET AGE EXPIRATION apic-ingress-ca True apic-ingress-ca 11s 2032-08-15T13:01:47Z
- Create a file that is called
- Create the ingress issuer.
- Create a file
ingress-issuer.yaml
and paste in the following contents, replacing<apic-instance-name>
:apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: <apic-instance-name>-ingress-issuer spec: ca: secretName: <apic-instance-name>-ingress-ca
- Apply this yaml file with:
oc apply -f ingress-issuer.yaml -n <namespace>
- Verify that the issuer was created with:
oc get issuer -n <namespace> NAME READY AGE apic-ingress-issuer True 20s
- Create a file
- Create a custom hostname and certificate for Cloud Pak for
Integration Platform UI and IBM Cloud Pak foundational services.
- Create a file
custom-hostname-cert.yaml
and paste in the following contents:
Where:apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: <apic-instance-name>-custom-hostname-cert namespace: <Platform UI namespace> spec: secretName: <apic-instance-name>-custom-hostname-secret issuerRef: name: <apic-instance-name>-ingress-issuer kind: Issuer commonName: <custom fqdn> duration: 17520h0m0s renewBefore: 720h0m0s dnsNames: - <ocp cluster api address> - <ocp cluster ui address> - <cp console ui address>
<apic-instance-name>
is the API Connect Cluster CR name.<platform ui namespace>
is the namespace used by your Cloud Pak for Integration Platform UI.<custom fqdn>
it the fully qualified custom hostname.<ocp cluster api address>
is the fully qualified API address of your Cloud Pak for Integration cluster.<ocp cluster ui address>
is the fully qualified UI address of your Cloud Pak for Integration cluster.<cp console ui address>
is the fully qualified address of your Cloud Pak console. Run the following command to see this address:oc get route -n ibm-common-services cp-console -o jsonpath='{.spec.host}'
.
- Apply this file with:
oc apply -f custom-hostname-cert.yaml -n <namespace>
- Extract the generated certificate files with:
oc extract secret/<apic-instance-name>-custom-hostname-secret -n <namespace> --to=. --keys=tls.crt,tls.key,ca.crt --confirm
Check that your local directory contains these three extracted files:ca.crt tls.crt tls.key
- Follow the steps in the Cloud Pak for Integration documentation to create a custom hostname and certificate https://www.ibm.com/docs/en/cloud-paks/cp-integration. For Cloud Pak for Integration v2022.2 the steps are on this page: Creating a custom hostname and certificate. Use the certificate files you extracted in the previous step.
- Create a secret in the Platform UI namespace using the same certificates you created in
6.c.
oc -n ${PLATFORM UI NAMESPACE} create secret generic route-tls-secret --from-file=ca.crt=ca.crt --from-file=tls.crt=tls.crt --from-file=tls.key=tls.key
- Add this new secret to the Platform UI CR, as described in the Cloud Pak for Integration documentation on using custom hostnames and certificates for the Platform UI. For Cloud Pak for Integration v2022.2 the steps are on this page: https://www.ibm.com/docs/en/cloud-paks/cp-integration/2022.2?topic=certificates-using-custom-hostnames-platform-ui.
- Create a file
- Create the TLS client replication certificates for Management
and Portal.
- Create a yaml file that is called
mgmt-tls-client-cert.yaml
and paste in the following contents, replacing<apic-instance-name>
:apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: <apic-instance-name>-mgmt-replication-client spec: commonName: <apic-instance-name>-mgmt-replication-client duration: 17520h0m0s issuerRef: kind: Issuer name: <apic-instance-name>-ingress-issuer renewBefore: 720h0m0s privateKey: rotationPolicy: Always secretName: <apic-instance-name>-mgmt-replication-client
- Apply this yaml file with:
oc apply -f mgmt-tls-client-cert.yaml -n <management namespace>
- Verify that the certificate was created with:
oc get certs -n <management namespace> NAME READY SECRET AGE EXPIRATION ... <apic-instance-name>-mgmt-replication-client True <apic-instance-name>-mgmt-replication-client 16m 2024-08-17T13:04:27Z
- Create a file
ptl-tls-client-cert.yaml
and paste in the following contents, replacing<apic-instance-name>
:apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: <apic-instance-name>-ptl-replication-client spec: commonName: <apic-instance-name>-ptl-replication-client duration: 17520h0m0s issuerRef: kind: Issuer name: <apic-instance-name>-ingress-issuer renewBefore: 720h0m0s privateKey: rotationPolicy: Always secretName: <apic-instance-name>-ptl-replication-client
- Apply this yaml file with:
oc apply -f ptl-tls-client-cert.yaml -n <portal namespace>
- Verify that the certificate was created with:
oc get certs -n <portal namespace> NAME READY SECRET AGE EXPIRATION ... <apic-instance-name>-ptl-replication-client True <apic-instance-name>-ptl-replication-client 16m 2024-08-17T13:04:27Z
- Create a yaml file that is called
- Export the ingress-ca issuer secret. The ingress-ca issuer secret must be the same on the warm-standby data center. Export it from the active so that it can be imported on the warm-standby data center.
- Run the following command to export the secret to a file called
ca-issuer-secret.yaml
:oc get secret <apic-instance-name>-ingress-ca -o yaml -n <namespace> > ca-issuer-secret.yaml
- Edit the
ca-issuer-secret.yaml
file to remove the creationTimestamp, resourceVersion, uid, and managedFields. Remove the labels and annotations sections completely. The contents should look like this:apiVersion: v1 data: ca.crt: <long cert string> tls.crt: <long cert string> tls.key: <long cert string> kind: Secret metadata: name: <apic-instance-name>-ingress-ca namespace: <namespace> type: kubernetes.io/tls
- Run the following command to export the secret to a file called
- Copy the following files from your
2dcdr-active-yamls
directory to the2dcdr-ws-yamls
directory in your warm-standby data center.
These files are required to ensure that the ingress-ca and encryption secrets on both sites are the same.ca-issuer-secret.yaml mgmt-enc-key.txt ptl-enc-key.txt
Tip: To save time during the preparation of your warm-standby data center you can also copy these yaml files:ptl-tls-client-cert.yaml mgmt-tls-client-cert.yaml ingress-issuer.yaml