Renewing the portal CA with the PortalSecretRotation CR

Use the PortalSecretRotation CR to renew the portal CA and all end-entity certificates that the portal CA signs.

About this task

Applying the PortalSecretRotation CR (Custom Resource) is the recommended method for renewing the portal CA certificates and all its end-entity certificates. The alternative method is to manually renew the portal CA certificate and then each of its end-entity certificates, which you can identify from the certificates table Portal certificates.

Renewing the portal-ca certificate causes downtime because all the portal-db pods need to restart the MySQL process to allow for the certificate to update. The pods do not restart, but they go non-ready and then ready again, which takes a few minutes.

Restriction: The PortalSecretRotation CR is for use with a single data center deployment. Do not attempt to use it with a two data center disaster recovery deployment. See Renewing certificates in a two data center deployment on Kubernetes and OpenShift.


  1. Create a file called portal-secret-cr.yaml and paste in the following contents:
    kind: PortalSecretRotation
      name: portal-rotate-secret
      portalCluster: <portal CR name>
      # List of certificates you want to rotate (Listing an issuer will rotate any certs issued by the issuer e.g listing just portal-ca will rotate portal-ca, portal-client and portal-server)
        - <portal CR name>-ca
        # Set to true if you want to rotate the encryption secret.
        rotate: true
        # Optional value to set the encryption secret to, if supplied secret exists in the env. If not supplied the rotated secret will be random.
        encryptionSecret: new-encyption-secret
    where <portal CR name> is the name of your PortalCluster CR. You can identify this name with:
    kubectl get PortalCluster -n <portal namespace>
    If you set rotate: true in the rotateEncryptionSecret section, the portal-encryption-secret is updated and the following changes are made:
    • Change the root MySQL password.
    • Generate a new, site-specific MySQL password for each site.
    • Reencrypt all client_ids and client_secrets in the portal database.
  2. Apply the CR by running the following command:
    kubectl create -f portal-secret-cr.yaml -n <portal namespace>
    Applying the CR updates the <portal CR name>-ca, along with all end-entity certificates that it signs. To view a list of the updated certificates, run the following command:
    kubectl describe PortalSecretRotation portal-rotate-secret -n <portal namespace>
    The status block in the command output shows the renewed certificates:
      Phase:                   Completed
      Rotated Certs:
      State:  Completed Portal Secret Rotation.
  3. When the certificate rotation is finished, delete the PortalSecretRotation CR.
    Confirm that certificate rotation is finished with the command:
    kubectl get PortalSecretRotation portal-rotate-issuer -n <portal namespace>
    The output should show Completed:
    NAME                   STATUS      MESSAGE                             AGE
    portal-rotate-secret   Completed   Completed Portal Secret Rotation.   7m50s
    Then delete the CR:
    kubectl delete PortalSecretRotation portal-rotate-issuer -n <portal namespace>