Renew the analytics CA certificate, and all end-entity certificates that the analytics CA
signs.
About this task
The pods that comprise the analytics subsystem communicate with each other using certificates
that are signed by the analytics CA certificate. If you renew the analytics CA certificate, you must
also renew the analytics end-entity certificates that the analytics CA signs.
For more information about API Connect certificates,
see API Connect TLS certificates.
Procedure
- Run the following command to renew the analytics CA
certificate:
kubectl -n <analytics namespace> get certificate <analytics CA name> -o=jsonpath='{.spec.secretName}' | xargs kubectl -n <analytics namespace> delete secret
where
<analytics CA name> is the name of the analytics CA certificate. On Kubernetes
and OpenShift individual subsystem installations this name is
analytics-ca
. On
Cloud Pak for Integration and OpenShift top-level CR
installations, this name is
<apic instance
name>-a7s-ca
.
Verify that a new
<analytics CA name>
secret is
created:
kubectl -n <analytics namespace> get secret
Output
should show a new
<analytics CA name>
secret:
NAME TYPE DATA AGE
...
<analytics CA name> kubernetes.io/tls 4 28s
Check
that the
AGE
column shows the secret was recently created.
- Renew the end-entity certificates signed by the analytics CA. Run the following command
for each
certificate:
kubectl get certificate <analytics certificate> -o=jsonpath='{.spec.secretName}' | xargs kubectl delete secret
where
<analytics certificate> is the name of the end entity certificate. The
analytics end-entity certificates are:
analytics-client
or a7s-client
.
analytics-server
or a7s-server
.
On Cloud Pak for Integration and OpenShift
top-level CR installations, the certificate name is prefixed with <apic instance
name>-
.
- Verify that the
storage
and warehouse
pods restarted,
and manually restart the analytics ingestion
and director
pods so
that they use the renewed certificates. kubectl get pods
Check that
storage
and
warehouse
pods restarted:
NAME READY STATUS RESTARTS AGE
a7s-director-5b57848786-lg5w6 1/1 Running 0 10d
a7s-ingestion-0 1/1 Running 0 6d16h
a7s-mtls-gw-5f5cb85744-gcwfw 1/1 Running 0 37d
a7s-oscron-28600035-gnb2p 0/1 Completed 0 19d
a7s-oscron-28600050-jgh4j 1/1 Running 3 (19d ago) 19d
a7s-storage-0 0/1 ContainerCreating 1 5s
a7s-warehouse 0/1 ContainerCreating 1 5s
Note: Warehouse
pods exist only when analytics backups are enabled.
Then delete the
ingestion
and
director
pods:
kubectl delete pod <analytics ingestion pod name>
kubectl delete pod <analytics director pod name>
Tip: For convenience, you can restart all analytics pods with a single
command:
kubectl delete pod -l app.kubernetes.io/instance=<analytics CR name>