Preparing your active data center

Create the secrets, certificates, and issuers that are needed for your active data center to replicate with the warm-standby.

About this task

All operations are done on the CLI, in the 2dcdr-active-yamls directory you created in Planning and initial preparation.

In the yaml files and commands that are shown here, replace <apic-instance-name> with the name you intend to use for your API Connect Cluster CR, and <namespace> with your API Connect namespace name (which will be the same for both Management and Portal subsystems). As decided in Planning and initial preparation.

Procedure

  1. Create the encryption key secrets for the Management and Portal subsystems.
    1. Run the following command to create a file that contains a random string, which is used to create the management encryption key secret:
      cat /dev/urandom | head -c63 | base64 -w0 > mgmt-enc-key.txt
    2. Run the following command to create the management encryption key secret:
      oc create secret generic mgmt-encryption-key --from-file=encryption_secret.bin=mgmt-enc-key.txt -n <management namespace>
    3. Confirm that the secret was created successfully by running:
      oc get secrets -n <management namespace> | grep mgmt-encryption-key
      
      mgmt-encryption-key        Opaque                                1      83s
    4. Run the following command to create a file that contains a random string, which is used to create the portal encryption key secret:
      cat /dev/urandom | head -c63 | base64 -w0 > ptl-enc-key.txt
    5. Run the following command to create the portal encryption key secret:
      oc create secret generic ptl-encryption-key --from-file=encryption_secret=ptl-enc-key.txt -n <portal namespace>
    6. Confirm that the secret was created successfully by running:
      oc get secrets -n <portal namespace> | grep ptl-encryption-key
      
      ptl-encryption-key         Opaque                                1      15s
  2. Create a self-signed issuer.
    1. Create a file that is called issuer.yaml and paste in the following contents, replacing <apic-instance-name>:
      apiVersion: cert-manager.io/v1
      kind: Issuer
      metadata:
        name: <apic-instance-name>-self-signed
      spec:
        selfSigned: {}
    2. Apply this yaml file with:
      oc apply -f issuer.yaml -n <namespace>
    3. Verify that the issuer was created with:
      oc get issuer -n <namespace>
      
      NAME               READY   AGE
      apic-self-signed   True    25s
  3. Create an ingress-ca certificate:
    1. Create a file that is called self-signed-issuer-cert.yaml and paste in the following contents, replacing <apic-instance-name>:
      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: <apic-instance-name>-ingress-ca
      spec:
        commonName: ingress-ca
        duration: 87600h0m0s
        isCA: true
        issuerRef:
          kind: Issuer
          name: <apic-instance-name>-self-signed
        renewBefore: 720h0m0s
        privateKey:
          rotationPolicy: Always
        secretName: <apic-instance-name>-ingress-ca
    2. Apply this yaml file with:
      oc apply -f self-signed-issuer-cert.yaml -n <namespace>
    3. Verify that the certificate was created with:
      oc get cert -n <namespace>
      
      NAME                           READY   SECRET                         AGE     EXPIRATION
      apic-ingress-ca                True    apic-ingress-ca                11s     2032-08-15T13:01:47Z
  4. Create the ingress issuer.
    1. Create a file ingress-issuer.yaml and paste in the following contents, replacing <apic-instance-name>:
      apiVersion: cert-manager.io/v1
      kind: Issuer
      metadata:
        name: <apic-instance-name>-ingress-issuer
      spec:
        ca:
          secretName: <apic-instance-name>-ingress-ca
    2. Apply this yaml file with:
      oc apply -f ingress-issuer.yaml -n <namespace>
    3. Verify that the issuer was created with:
      oc get issuer -n <namespace>
      
      NAME                  READY   AGE
      apic-ingress-issuer   True    20s
  5. Create the TLS client replication certificates for Management and Portal.
    1. Create a yaml file that is called mgmt-tls-client-cert.yaml and paste in the following contents, replacing <apic-instance-name>:
      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: <apic-instance-name>-mgmt-replication-client
      spec:
        commonName: <apic-instance-name>-mgmt-replication-client
        duration: 17520h0m0s
        issuerRef:
          kind: Issuer
          name: <apic-instance-name>-ingress-issuer
        renewBefore: 720h0m0s
        privateKey:
          rotationPolicy: Always
        secretName: <apic-instance-name>-mgmt-replication-client
    2. Apply this yaml file with:
      oc apply -f mgmt-tls-client-cert.yaml -n <management namespace>
    3. Verify that the certificate was created with:
      oc get certs -n <management namespace>
      
      NAME                                           READY   SECRET                                         AGE     EXPIRATION
      ...
      <apic-instance-name>-mgmt-replication-client   True    <apic-instance-name>-mgmt-replication-client   16m     2024-08-17T13:04:27Z
    4. Create a file ptl-tls-client-cert.yaml and paste in the following contents, replacing <apic-instance-name>:
      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: <apic-instance-name>-ptl-replication-client
      spec:
        commonName: <apic-instance-name>-ptl-replication-client
        duration: 17520h0m0s
        issuerRef:
          kind: Issuer
          name: <apic-instance-name>-ingress-issuer
        renewBefore: 720h0m0s
        privateKey:
          rotationPolicy: Always
        secretName: <apic-instance-name>-ptl-replication-client
    5. Apply this yaml file with:
      oc apply -f ptl-tls-client-cert.yaml -n <portal namespace>
    6. Verify that the certificate was created with:
      oc get certs -n <portal namespace>
      
      NAME                                          READY   SECRET                                        AGE     EXPIRATION
      ...
      <apic-instance-name>-ptl-replication-client   True    <apic-instance-name>-ptl-replication-client   16m     2024-08-17T13:04:27Z
  6. Export the ingress-ca issuer secret.
    The ingress-ca issuer secret must be the same on the warm-standby data center. Export it from the active so that it can be imported on the warm-standby data center.
    1. Run the following command to export the secret to a file called ca-issuer-secret.yaml:
      oc get secret <apic-instance-name>-ingress-ca -o yaml -n <namespace>  > ca-issuer-secret.yaml
    2. Edit the ca-issuer-secret.yaml file to remove the creationTimestamp, resourceVersion, uid, and managedFields. Remove the labels and annotations sections completely. The contents should look like this:
      apiVersion: v1
      data:
        ca.crt: <long cert string>
        tls.crt: <long cert string>
        tls.key: <long cert string>
      kind: Secret
      metadata:
        name: <apic-instance-name>-ingress-ca
        namespace: <namespace>
      type: kubernetes.io/tls
      
  7. Copy the following files from your 2dcdr-active-yamls directory to the 2dcdr-ws-yamls directory in your warm-standby data center.
    ca-issuer-secret.yaml
    mgmt-enc-key.txt
    ptl-enc-key.txt
    These files are required to ensure that the ingress-ca and encryption secrets on both sites are the same.
    Tip: To save time during the preparation of your warm-standby data center you can also copy these yaml files:
    ptl-tls-client-cert.yaml
    mgmt-tls-client-cert.yaml
    ingress-issuer.yaml

What to do next

Create your secrets, certs, and issuers on your warm-standby data center: Preparing your warm-standby data center.