Renewing the portal CA with the PortalSecretRotation CR
Use the PortalSecretRotation CR to renew the portal CA and all end-entity certificates that the portal CA signs.
About this task
PortalSecretRotation CR (Custom Resource) is the recommended method
for renewing the portal CA certificates and all its end-entity certificates. The alternative method
is to manually renew the portal CA certificate and then each of its end-entity certificates, which
you can identify from the certificates table Portal certificates.
portal-ca certificate causes downtime because all the
portal-db pods need to restart the MySQL process to allow for the certificate to
update. The pods do not restart, but they go non-ready and then ready again, which takes a few
PortalSecretRotationCR is for use with a single data center deployment. Do not attempt to use it with a two data center disaster recovery deployment. See Renewing certificates in a two data center deployment on Kubernetes and OpenShift.
Create a file called portal-secret-cr.yaml and paste in the following
where <portal CR name> is the name of your
apiVersion: portal.apiconnect.ibm.com/v1beta1 kind: PortalSecretRotation metadata: name: portal-rotate-secret spec: portalCluster: <portal CR name> # List of certificates you want to rotate (Listing an issuer will rotate any certs issued by the issuer e.g listing just portal-ca will rotate portal-ca, portal-client and portal-server) rotateCertificates: certificates: - <portal CR name>-ca rotateEncryptionSecret: # Set to true if you want to rotate the encryption secret. rotate: true # Optional value to set the encryption secret to, if supplied secret exists in the env. If not supplied the rotated secret will be random. encryptionSecret: new-encyption-secret
PortalClusterCR. You can identify this name with:
kubectl get PortalCluster -n <portal namespace>If you set
rotate: truein the
rotateEncryptionSecretsection, the portal-encryption-secret is updated and the following changes are made:
- Change the root MySQL password.
- Generate a new, site-specific MySQL password for each site.
- Reencrypt all client_ids and client_secrets in the portal database.
Apply the CR by running the following command:
kubectl create -f portal-secret-cr.yaml -n <portal namespace>Applying the CR updates the
<portal CR name>-ca, along with all end-entity certificates that it signs. To view a list of the updated certificates, run the following command:
kubectl describe PortalSecretRotation portal-rotate-secret -n <portal namespace>
statusblock in the command output shows the renewed certificates:
Status: ... Phase: Completed Rotated Certs: def-portal-ca def-portal-server def-portal-client State: Completed Portal Secret Rotation. ...
- When the certificate rotation is finished, delete the
PortalSecretRotationCR.Confirm that certificate rotation is finished with the command:
The output should show
kubectl get PortalSecretRotation portal-rotate-issuer -n <portal namespace>
Then delete the CR:
NAME STATUS MESSAGE AGE portal-rotate-secret Completed Completed Portal Secret Rotation. 7m50s
kubectl delete PortalSecretRotation portal-rotate-issuer -n <portal namespace>