Preparing your active data center

Create the secrets, certificates, and issuers that are needed for your active data center to replicate with the warm-standby.

About this task

All operations are done on the CLI, in the 2dcdr-active-yamls directory you created in Planning and initial preparation.

In the yaml files and commands that are shown here, replace <namespace> with the name of the corresponding subsystem namespace.

Procedure

  1. Deploy the cert-manager.
    1. Create a file that is called cert-manager.yaml and paste in the following contents:
      apiVersion: operator.ibm.com/v1alpha1
      kind: OperandRequest
      metadata:
        name: ibm-apiconnect
      spec:
        requests:
          - operands:
              - name: ibm-cert-manager-operator
            registry: common-service
            registryNamespace: ibm-common-services
    2. Apply this yaml file with:
      oc apply -f cert-manager.yaml -n <namespace>
    3. Confirm that the cert-manager is deployed:
      oc get deploy -n ibm-common-services | grep ibm-cert-manager-operator
    4. Wait for the cert-manager deployment to become available:
      oc wait --for=condition=available deployment.apps/ibm-cert-manager-operator -n ibm-common-services --timeout=900s
    5. Wait for the three cert-manager pods and operator to be in running state:
      oc get pods -n ibm-common-services | grep cert
      
      cert-manager-cainjector-566b5d5698-pzccn               1/1     Running   0          18m
      cert-manager-controller-766ddff8c4-ftr85               1/1     Running   0          18m
      cert-manager-webhook-79bb8f67b7-gvkst                  1/1     Running   0          18m
      ibm-cert-manager-operator-fdfd66bd4-6rrz6              1/1     Running   0          19m
  2. Create the encryption key secrets for the Management and Portal subsystems.
    1. Run the following command to create a file that contains a random string, which is used to create the management encryption key secret:
      cat /dev/urandom | head -c63 | base64 -w0 > mgmt-enc-key.txt
    2. Run the following command to create the management encryption key secret:
      oc create secret generic mgmt-encryption-key --from-file=encryption_secret.bin=mgmt-enc-key.txt -n <management namespace>
    3. Confirm that the secret was created successfully by running:
      oc get secrets -n <management namespace> | grep mgmt-encryption-key
      
      mgmt-encryption-key        Opaque                                1      83s
    4. Run the following command to create a file that contains a random string, which is used to create the portal encryption key secret:
      cat /dev/urandom | head -c63 | base64 -w0 > ptl-enc-key.txt
    5. Run the following command to create the portal encryption key secret:
      oc create secret generic ptl-encryption-key --from-file=encryption_secret=ptl-enc-key.txt -n <portal namespace>
    6. Confirm that the secret was created successfully by running:
      oc get secrets -n <portal namespace> | grep ptl-encryption-key
      
      ptl-encryption-key         Opaque                                1      15s
  3. If all your API Connect subsystems are to be installed in the same namespace, then create your certificates, issuers, and secrets as described here: Setting up a certificate issuer. Return here when complete, do not proceed to install the subsystems.
  4. If your API Connect subsystems are to be installed in different namespaces, then create your certificates, issuers, and secrets for your Management subsystem as described here Create Management subsystem issuers and secrets. For your Portal subsystem, follow the steps here Create Portal subsystem issuers and secretes. Return here when complete, do not proceed to install either subsystem.
  5. Create the TLS client replication certificates for Management and Portal.
    1. Create a yaml file that is called mgmt-tls-client-cert.yaml and paste in the following contents:
      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: mgmt-replication-client
      spec:
        commonName: mgmt-replication-client
        duration: 17520h0m0s
        issuerRef:
          kind: Issuer
          name: ingress-issuer
        renewBefore: 720h0m0s
        privateKey:
          rotationPolicy: Always
        secretName: mgmt-replication-client
    2. Apply this yaml file with:
      oc apply -f mgmt-tls-client-cert.yaml -n <management namespace>
    3. Verify that the certificate was created with:
      oc get certs -n <management namespace>
      
      NAME                      READY   SECRET                    AGE     EXPIRATION
      ...
      mgmt-replication-client   True    mgmt-replication-client   16m     2024-08-17T13:04:27Z
    4. Create a file ptl-tls-client-cert.yaml and paste in the following contents:
      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: ptl-replication-client
      spec:
        commonName: ptl-replication-client
        duration: 17520h0m0s
        issuerRef:
          kind: Issuer
          name: ingress-issuer
        renewBefore: 720h0m0s
        privateKey:
          rotationPolicy: Always
        secretName: ptl-replication-client
    5. Apply this yaml file with:
      oc apply -f ptl-tls-client-cert.yaml -n <portal namespace>
    6. Verify that the certificate was created with:
      oc get certs -n <portal namespace>
      
      NAME                     READY   SECRET                   AGE     EXPIRATION
      ...
      ptl-replication-client   True    ptl-replication-client   16m     2024-08-17T13:04:27Z
  6. Export the ingress-ca issuer secret.
    The ingress-ca issuer secret must be the same on the warm-standby data center. Export it from the active so that it can be imported on the warm-standby data center.
    Note: If you are deploying API Connect subsystems in different namespaces, then you export the Management subsystem ingress-ca secret.
    1. Run the following command to export the secret to a file called ca-issuer-secret.yaml:
      oc get secret ingress-ca -o yaml -n <management namespace>  > ca-issuer-secret.yaml
    2. Edit the ca-issuer-secret.yaml file to remove the creationTimestamp, resourceVersion, uid, namespace, and managedFields. Remove the labels and annotations sections completely. The resulting contents should look like this:
      apiVersion: v1
      data:
        ca.crt: <long cert string>
        tls.crt: <long cert string>
        tls.key: <long cert string>
      kind: Secret
      metadata:
        name: ingress-ca
      type: kubernetes.io/tls
      
  7. Copy the following files from your 2dcdr-active-yamls directory to the 2dcdr-ws-yamls directory in your warm-standby data center.
    ca-issuer-secret.yaml
    mgmt-enc-key.txt
    ptl-enc-key.txt
    These files are required to ensure that the ingress-ca and encryption secrets on both sites are the same.
    Tip: To save time during the preparation of your warm-standby data center you can also copy these yaml files:
    ptl-tls-client-cert.yaml
    mgmt-tls-client-cert.yaml
    
  8. If you are installing the Portal subsystem in a different namespace to the Management subsystem on the active data center, use the ca-issuer-secret.yaml file to create the issuer in your portal namespace. Follow the 'Before you begin steps here: Create issuer. Do not proceed to install the Portal subsystem after creating the issuer.

What to do next

Prepare your warm-standby data center Preparing your warm-standby data center.