Renewing the analytics CA

Renew the analytics CA certificate, and all end-entity certificates that the analytics CA signs.

About this task

The pods that comprise the analytics subsystem communicate with each other using certificates that are signed by the analytics CA certificate. If you renew the analytics CA certificate, you must also renew the analytics end-entity certificates that the analytics CA signs.

For more information about API Connect certificates, see API Connect TLS certificates.

Procedure

  1. Run the following command to renew the analytics CA certificate:
    kubectl -n <analytics namespace> get certificate <analytics CA name> -o=jsonpath='{.spec.secretName}' | xargs kubectl -n <analytics namespace> delete secret
    where <analytics CA name> is the name of the analytics CA certificate. On Kubernetes and OpenShift individual subsystem installations this name is analytics-ca. On Cloud Pak for Integration and OpenShift top-level CR installations, this name is <apic instance name>-a7s-ca.
    Verify that a new <analytics CA name> secret is created:
    kubectl -n <analytics namespace> get secret
    Output should show a new <analytics CA name> secret:
    NAME                                                            TYPE                DATA   AGE
    ...
    <analytics CA name>                                                kubernetes.io/tls   4      28s
    Check that the AGE column shows the secret was recently created.
  2. Renew the end-entity certificates signed by the analytics CA. Run the following command for each certificate:
    kubectl get certificate <analytics certificate> -o=jsonpath='{.spec.secretName}' | xargs kubectl delete secret
    where <analytics certificate> is the name of the end entity certificate. The analytics end-entity certificates are:
    • analytics-client or a7s-client.
    • analytics-server or a7s-server.

    On Cloud Pak for Integration and OpenShift top-level CR installations, the certificate name is prefixed with <apic instance name>-.

  3. Verify that the storage and warehouse pods restarted, and manually restart the analytics ingestion and director pods so that they use the renewed certificates.
    kubectl get pods
    Check that storage and warehouse pods restarted:
    
    NAME                                                 READY   STATUS             RESTARTS        AGE
    a7s-director-5b57848786-lg5w6                        1/1     Running            0               10d
    a7s-ingestion-0                                      1/1     Running            0               6d16h
    a7s-mtls-gw-5f5cb85744-gcwfw                         1/1     Running            0               37d
    a7s-oscron-28600035-gnb2p                            0/1     Completed          0               19d
    a7s-oscron-28600050-jgh4j                            1/1     Running            3 (19d ago)     19d
    a7s-storage-0                                        0/1     ContainerCreating  1               5s
    a7s-warehouse                                        0/1     ContainerCreating  1               5s
    Note: Warehouse pods exist only when analytics backups are enabled.
    Then delete the ingestion and director pods:
    kubectl delete pod <analytics ingestion pod name>
    kubectl delete pod <analytics director pod name>
    Tip: For convenience, you can restart all analytics pods with a single command:
    kubectl delete pod -l app.kubernetes.io/instance=<analytics CR name>