Use the PortalSecretRotation
CR to renew the portal-ca
and all end-entity certificates that the portal-ca
certificate signs.
About this task
Applying the PortalSecretRotation
CR (Custom Resource) is the recommended method
for renewing the portal-ca
certificate and all its end-entity certificates. The
alternative method is to manually renew the portal-ca
certificate and then each of
its end-entity certificates, which you can identify from the certificates table Portal certificates.
Procedure
-
Create a file called portal-secret-cr.yaml and paste in the following
contents:
apiVersion: portal.apiconnect.ibm.com/v1beta1
kind: PortalSecretRotation
metadata:
name: portal-rotate-secret
spec:
portalCluster: <portal CR name>
# List of certificates you want to rotate (Listing an issuer will rotate any certs issued by the issuer e.g listing just portal-ca will rotate portal-ca, portal-client and portal-server)
rotateCertificates:
certificates:
- <portal CR name>-ca
rotateEncryptionSecret:
# Set to true if you want to rotate the encryption secret.
rotate: true
# Optional value to set the encryption secret to, if supplied secret exists in the env. If not supplied the rotated secret will be random.
encryptionSecret: new-encyption-secret
where
<portal
CR name> is the name of your
PortalCluster
CR. You can identify this name
with:
kubectl get PortalCluster -n <portal namespace>
If
you set
rotate: true
in the
rotateEncryptionSecret
section, the
portal-encryption-secret is updated and the following changes are made:
- Change the root MySQL password.
- Generate a new, site-specific MySQL password for each site.
- Reencrypt all client_ids and client_secrets in the portal database.
-
Apply the CR by running the following command:
kubectl create -f portal-secret-cr.yaml -n <portal namespace>
Applying the CR updates the
<portal CR name>-ca
, along
with all end-entity certificates that it signs. To view a list of the updated certificates, run the
following
command:
kubectl describe PortalSecretRotation portal-rotate-secret -n <portal namespace>
The
status
block in the command output shows the renewed
certificates:
Status:
...
Phase: Completed
Rotated Certs:
def-portal-ca
def-portal-server
def-portal-client
State: Completed Portal Secret Rotation.
...
- When the certificate rotation is finished, delete the
PortalSecretRotation
CR. Confirm that certificate rotation is finished
with the
command:
kubectl get PortalSecretRotation portal-rotate-issuer -n <portal namespace>
The
output should show
Completed
:
NAME STATUS MESSAGE AGE
portal-rotate-secret Completed Completed Portal Secret Rotation. 7m50s
Then
delete the
CR:
kubectl delete PortalSecretRotation portal-rotate-issuer -n <portal namespace>