Renewing the portal-ca with the PortalSecretRotation CR

Use the PortalSecretRotation CR to renew the portal-ca and all end-entity certificates that the portal-ca certificate signs.

About this task

Applying the PortalSecretRotation CR (Custom Resource) is the recommended method for renewing the portal-ca certificate and all its end-entity certificates. The alternative method is to manually renew the portal-ca certificate and then each of its end-entity certificates, which you can identify from the certificates table Portal certificates.

Restriction: The PortalSecretRotation CR is for use with a single data center deployment. Do not attempt to use it with a two data center disaster recovery deployment. See Renewing certificates in a two data center deployment on Kubernetes and OpenShift.

Procedure

  1. Create a file called portal-secret-cr.yaml and paste in the following contents:
    apiVersion: portal.apiconnect.ibm.com/v1beta1
    kind: PortalSecretRotation
    metadata:
      name: portal-rotate-secret
    spec:
      portalCluster: <portal CR name>
      # List of certificates you want to rotate (Listing an issuer will rotate any certs issued by the issuer e.g listing just portal-ca will rotate portal-ca, portal-client and portal-server)
      rotateCertificates:
        certificates:
        - <portal CR name>-ca
      rotateEncryptionSecret:
        # Set to true if you want to rotate the encryption secret.
        rotate: true
        # Optional value to set the encryption secret to, if supplied secret exists in the env. If not supplied the rotated secret will be random.
        encryptionSecret: new-encyption-secret
    where <portal CR name> is the name of your PortalCluster CR. You can identify this name with:
    kubectl get PortalCluster -n <portal namespace>
    If you set rotate: true in the rotateEncryptionSecret section, the portal-encryption-secret is updated and the following changes are made:
    • Change the root MySQL password.
    • Generate a new, site-specific MySQL password for each site.
    • Reencrypt all client_ids and client_secrets in the portal database.
  2. Apply the CR by running the following command:
    kubectl create -f portal-secret-cr.yaml -n <portal namespace>
    Applying the CR updates the <portal CR name>-ca, along with all end-entity certificates that it signs. To view a list of the updated certificates, run the following command:
    kubectl describe PortalSecretRotation portal-rotate-secret -n <portal namespace>
    The status block in the command output shows the renewed certificates:
    Status:
      ...
      Phase:                   Completed
      Rotated Certs:
        def-portal-ca
        def-portal-server
        def-portal-client
      State:  Completed Portal Secret Rotation.
    ...
  3. When the certificate rotation is finished, delete the PortalSecretRotation CR.
    Confirm that certificate rotation is finished with the command:
    kubectl get PortalSecretRotation portal-rotate-issuer -n <portal namespace>
    The output should show Completed:
    NAME                   STATUS      MESSAGE                             AGE
    portal-rotate-secret   Completed   Completed Portal Secret Rotation.   7m50s
    Then delete the CR:
    kubectl delete PortalSecretRotation portal-rotate-issuer -n <portal namespace>