Preparing your active data center
Create the secrets, certificates, and issuers that are needed for your active data center to replicate with the warm-standby.
About this task
All operations are done on the CLI, in the 2dcdr-active-yamls
directory you created in Planning and initial preparation.
In the yaml files and commands that are shown here, replace
<namespace>
with the name of the corresponding subsystem namespace.
Procedure
- Deploy the cert-manager.
- Create a file that is called
cert-manager.yaml
and paste in the following contents:apiVersion: operator.ibm.com/v1alpha1 kind: OperandRequest metadata: name: ibm-apiconnect spec: requests: - operands: - name: ibm-cert-manager-operator registry: common-service registryNamespace: ibm-common-services
- Apply this yaml file with:
oc apply -f cert-manager.yaml -n <namespace>
- Confirm that the cert-manager is
deployed:
oc get deploy -n ibm-common-services | grep ibm-cert-manager-operator
- Wait for the cert-manager deployment to
become available:
oc wait --for=condition=available deployment.apps/ibm-cert-manager-operator -n ibm-common-services --timeout=900s
- Wait for the three cert-manager pods and operator
to be in running state:
oc get pods -n ibm-common-services | grep cert cert-manager-cainjector-566b5d5698-pzccn 1/1 Running 0 18m cert-manager-controller-766ddff8c4-ftr85 1/1 Running 0 18m cert-manager-webhook-79bb8f67b7-gvkst 1/1 Running 0 18m ibm-cert-manager-operator-fdfd66bd4-6rrz6 1/1 Running 0 19m
- Create a file that is called
-
Create the encryption key secrets for the Management and Portal subsystems.
- Run the following command to create a file that contains a random string, which is
used to create the management encryption key secret:
cat /dev/urandom | head -c63 | base64 -w0 > mgmt-enc-key.txt
- Run the following command to create the management encryption
key secret:
oc create secret generic mgmt-encryption-key --from-file=encryption_secret.bin=mgmt-enc-key.txt -n <management namespace>
- Confirm that the secret was created successfully by
running:
oc get secrets -n <management namespace> | grep mgmt-encryption-key mgmt-encryption-key Opaque 1 83s
- Run the following command to create a file that contains a random string, which is
used to create the portal encryption key secret:
cat /dev/urandom | head -c63 | base64 -w0 > ptl-enc-key.txt
- Run the following command to create the portal encryption
key secret:
oc create secret generic ptl-encryption-key --from-file=encryption_secret=ptl-enc-key.txt -n <portal namespace>
- Confirm that the secret was created successfully by
running:
oc get secrets -n <portal namespace> | grep ptl-encryption-key ptl-encryption-key Opaque 1 15s
- Run the following command to create a file that contains a random string, which is
used to create the management encryption key secret:
- If all your API Connect subsystems are to be installed in the same namespace, then create your certificates, issuers, and secrets as described here: Setting up a certificate issuer. Return here when complete, do not proceed to install the subsystems.
- If your API Connect subsystems are to be installed in different namespaces, then create your certificates, issuers, and secrets for your Management subsystem as described here Create Management subsystem issuers and secrets. For your Portal subsystem, follow the steps here Create Portal subsystem issuers and secretes. Return here when complete, do not proceed to install either subsystem.
- Create the TLS client replication certificates for Management
and Portal.
- Create a yaml file that is called
mgmt-tls-client-cert.yaml
and paste in the following contents:apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: mgmt-replication-client spec: commonName: mgmt-replication-client duration: 17520h0m0s issuerRef: kind: Issuer name: ingress-issuer renewBefore: 720h0m0s privateKey: rotationPolicy: Always secretName: mgmt-replication-client
- Apply this yaml file with:
oc apply -f mgmt-tls-client-cert.yaml -n <management namespace>
- Verify that the certificate was created with:
oc get certs -n <management namespace> NAME READY SECRET AGE EXPIRATION ... mgmt-replication-client True mgmt-replication-client 16m 2024-08-17T13:04:27Z
- Create a file
ptl-tls-client-cert.yaml
and paste in the following contents:apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: ptl-replication-client spec: commonName: ptl-replication-client duration: 17520h0m0s issuerRef: kind: Issuer name: ingress-issuer renewBefore: 720h0m0s privateKey: rotationPolicy: Always secretName: ptl-replication-client
- Apply this yaml file with:
oc apply -f ptl-tls-client-cert.yaml -n <portal namespace>
- Verify that the certificate was created with:
oc get certs -n <portal namespace> NAME READY SECRET AGE EXPIRATION ... ptl-replication-client True ptl-replication-client 16m 2024-08-17T13:04:27Z
- Create a yaml file that is called
- Export the ingress-ca issuer secret. The ingress-ca issuer secret must be the same on the warm-standby data center. Export it from the active so that it can be imported on the warm-standby data center.Note: If you are deploying API Connect subsystems in different namespaces, then you export the Management subsystem ingress-ca secret.
- Run the following command to export the secret to a file called
ca-issuer-secret.yaml
:oc get secret ingress-ca -o yaml -n <management namespace> > ca-issuer-secret.yaml
- Edit the
ca-issuer-secret.yaml
file to remove the creationTimestamp, resourceVersion, uid, namespace, and managedFields. Remove the labels and annotations sections completely. The resulting contents should look like this:apiVersion: v1 data: ca.crt: <long cert string> tls.crt: <long cert string> tls.key: <long cert string> kind: Secret metadata: name: ingress-ca type: kubernetes.io/tls
- Run the following command to export the secret to a file called
- Copy the following files from your
2dcdr-active-yamls
directory to the2dcdr-ws-yamls
directory in your warm-standby data center.
These files are required to ensure that the ingress-ca and encryption secrets on both sites are the same.ca-issuer-secret.yaml mgmt-enc-key.txt ptl-enc-key.txt
Tip: To save time during the preparation of your warm-standby data center you can also copy these yaml files:ptl-tls-client-cert.yaml mgmt-tls-client-cert.yaml
- If you are installing the Portal subsystem in a different namespace to the Management
subsystem on the active data center, use the
ca-issuer-secret.yaml
file to create the issuer in your portal namespace. Follow the 'Before you begin steps here: Create issuer. Do not proceed to install the Portal subsystem after creating the issuer.