Preparing your warm-standby data center

Create the secrets, certificates, and issuers that are needed for your warm-standby data center to replicate with the active.

About this task

All operations are done on the CLI, in the 2dcdr-ws-yamls directory you created in Planning and initial preparation.

In the YAML files and commands that are shown here, replace <apic-instance-name> with the name you intend to use for your API Connect Cluster CR, and <namespace> with your API Connect namespace name (which will be the same for both Management and Portal subsystems). As decided in Planning and initial preparation.

Procedure

  1. Import the ingress-ca issuer secret.
    This secret was created on your active data center here: Export the ingress-ca issuer secret
    1. Copy the ca-issuer-secret.yaml file to your warm-standby data center (if not done already).
    2. Create the secret with:
      oc apply -f ca-issuer-secret.yaml -n <namespace>
    3. Verify that the secret was created with:
      oc get secret -n <namespace>
      
      NAME                                                 TYPE                                  DATA   AGE
      <apic-instance-name>-ingress-ca                      kubernetes.io/tls                     3      19h
  2. Create the ingress issuer.
    1. Create a file ingress-issuer.yaml and paste in the following contents, replacing <apic-instance-name>:
      apiVersion: cert-manager.io/v1
      kind: Issuer
      metadata:
        name: <apic-instance-name>-ingress-issuer
      spec:
        ca:
          secretName: <apic-instance-name>-ingress-ca
    2. Apply this yaml file with:
      oc apply -f ingress-issuer.yaml -n <namespace>
    3. Verify that the issuer was created with:
      oc get issuer -n <namespace>
      
      NAME                  READY   AGE
      apic-ingress-issuer   True    20s
  3. Create the encryption key secrets for the Management and Portal subsystems, by using the random string generated on the active data center.
    Use the mgmt-enc-key.txt and ptl-enc-key.txt files that were copied to your warm-standby data center here: Copy keys to warm-standby.
    1. Run the following command to create the management encryption key secret:
      oc create secret generic mgmt-encryption-key --from-file=encryption_secret.bin=mgmt-enc-key.txt -n <management namespace>
    2. Confirm that the secret was created successfully by running:
      oc get secrets -n <management namespace> | grep mgmt-encryption-key
      
      mgmt-encryption-key        Opaque                                1      83s
    3. Run the following command to create the portal encryption key secret:
      oc create secret generic ptl-encryption-key --from-file=encryption_secret=ptl-enc-key.txt -n <portal namespace>
    4. Confirm that the secret was created successfully by running:
      oc get secrets -n <portal namespace> | grep ptl-encryption-key
      
      ptl-encryption-key         Opaque                                1      15s
  4. Create the TLS client replication certificates for Management and Portal.
    1. Create a yaml file that is called mgmt-tls-client-cert.yaml and paste in the following contents, replacing <apic-instance-name>:
      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: <apic-instance-name>-mgmt-replication-client
      spec:
        commonName: <apic-instance-name>-mgmt-replication-client
        duration: 17520h0m0s
        issuerRef:
          kind: Issuer
          name: <apic-instance-name>-ingress-issuer
        renewBefore: 720h0m0s
        privateKey:
          rotationPolicy: Always
        secretName: <apic-instance-name>-mgmt-replication-client
    2. Apply this yaml file with:
      oc apply -f mgmt-tls-client-cert.yaml -n <management namespace>
    3. Verify that the certificate was created with:
      oc get certs -n <management namespace>
      
      NAME                                           READY   SECRET                                         AGE     EXPIRATION
      ...
      <apic-instance-name>-mgmt-replication-client   True    <apic-instance-name>-mgmt-replication-client   16m     2024-08-17T13:04:27Z
    4. Create a file ptl-tls-client-cert.yaml and paste in the following contents, replacing <apic-instance-name>:
      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: <apic-instance-name>-ptl-replication-client
      spec:
        commonName: <apic-instance-name>-ptl-replication-client
        duration: 17520h0m0s
        issuerRef:
          kind: Issuer
          name: <apic-instance-name>-ingress-issuer
        renewBefore: 720h0m0s
        privateKey:
          rotationPolicy: Always
        secretName: <apic-instance-name>-ptl-replication-client
    5. Apply this yaml file with:
      oc apply -f ptl-tls-client-cert.yaml -n <portal namespace>
    6. Verify that the certificate was created with:
      oc get certs -n <portal namespace>
      
      NAME                                          READY   SECRET                                        AGE     EXPIRATION
      ...
      <apic-instance-name>-ptl-replication-client   True    <apic-instance-name>-ptl-replication-client   16m     2024-08-17T13:04:27Z

What to do next

Install API Connect in your active data center: Installing API Connect on the active data center.