Preparing your active data center
Create the secrets, certificates, and issuers that are needed for your active data center to replicate with the warm-standby.
About this task
All operations are done on the CLI, in the 2dcdr-active-yamls
directory you created in Planning and initial preparation.
In the yaml files and commands that are shown here, replace
<apic-instance-name>
with the name you intend to use for your API Connect
Cluster CR, and <namespace>
with your API Connect namespace name (which will be
the same for both Management and Portal subsystems). As decided in Planning and initial preparation.
Procedure
-
Create the encryption key secrets for the Management and Portal subsystems.
- Run the following command to create a file that contains a random string, which is
used to create the management encryption key secret:
cat /dev/urandom | head -c63 | base64 -w0 > mgmt-enc-key.txt
- Run the following command to create the management encryption
key secret:
oc create secret generic mgmt-encryption-key --from-file=encryption_secret.bin=mgmt-enc-key.txt -n <management namespace>
- Confirm that the secret was created successfully by
running:
oc get secrets -n <management namespace> | grep mgmt-encryption-key mgmt-encryption-key Opaque 1 83s
- Run the following command to create a file that contains a random string, which is
used to create the portal encryption key secret:
cat /dev/urandom | head -c63 | base64 -w0 > ptl-enc-key.txt
- Run the following command to create the portal encryption
key secret:
oc create secret generic ptl-encryption-key --from-file=encryption_secret=ptl-enc-key.txt -n <portal namespace>
- Confirm that the secret was created successfully by
running:
oc get secrets -n <portal namespace> | grep ptl-encryption-key ptl-encryption-key Opaque 1 15s
- Run the following command to create a file that contains a random string, which is
used to create the management encryption key secret:
- Create a self-signed issuer.
- Create a file that is called
issuer.yaml
and paste in the following contents, replacing<apic-instance-name>
:apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: <apic-instance-name>-self-signed spec: selfSigned: {}
- Apply this yaml file with:
oc apply -f issuer.yaml -n <namespace>
- Verify that the issuer was created with:
oc get issuer -n <namespace> NAME READY AGE apic-self-signed True 25s
- Create a file that is called
- Create an ingress-ca certificate:
- Create a file that is called
self-signed-issuer-cert.yaml
and paste in the following contents, replacing<apic-instance-name>
:apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: <apic-instance-name>-ingress-ca spec: commonName: ingress-ca duration: 87600h0m0s isCA: true issuerRef: kind: Issuer name: <apic-instance-name>-self-signed renewBefore: 720h0m0s privateKey: rotationPolicy: Always secretName: <apic-instance-name>-ingress-ca
- Apply this yaml file with:
oc apply -f self-signed-issuer-cert.yaml -n <namespace>
- Verify that the certificate was created with:
oc get cert -n <namespace> NAME READY SECRET AGE EXPIRATION apic-ingress-ca True apic-ingress-ca 11s 2032-08-15T13:01:47Z
- Create a file that is called
- Create the ingress issuer.
- Create a file
ingress-issuer.yaml
and paste in the following contents, replacing<apic-instance-name>
:apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: <apic-instance-name>-ingress-issuer spec: ca: secretName: <apic-instance-name>-ingress-ca
- Apply this yaml file with:
oc apply -f ingress-issuer.yaml -n <namespace>
- Verify that the issuer was created with:
oc get issuer -n <namespace> NAME READY AGE apic-ingress-issuer True 20s
- Create a file
- Create the TLS client replication certificates for Management
and Portal.
- Create a yaml file that is called
mgmt-tls-client-cert.yaml
and paste in the following contents, replacing<apic-instance-name>
:apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: <apic-instance-name>-mgmt-replication-client spec: commonName: <apic-instance-name>-mgmt-replication-client duration: 17520h0m0s issuerRef: kind: Issuer name: <apic-instance-name>-ingress-issuer renewBefore: 720h0m0s privateKey: rotationPolicy: Always secretName: <apic-instance-name>-mgmt-replication-client
- Apply this yaml file with:
oc apply -f mgmt-tls-client-cert.yaml -n <management namespace>
- Verify that the certificate was created with:
oc get certs -n <management namespace> NAME READY SECRET AGE EXPIRATION ... <apic-instance-name>-mgmt-replication-client True <apic-instance-name>-mgmt-replication-client 16m 2024-08-17T13:04:27Z
- Create a file
ptl-tls-client-cert.yaml
and paste in the following contents, replacing<apic-instance-name>
:apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: <apic-instance-name>-ptl-replication-client spec: commonName: <apic-instance-name>-ptl-replication-client duration: 17520h0m0s issuerRef: kind: Issuer name: <apic-instance-name>-ingress-issuer renewBefore: 720h0m0s privateKey: rotationPolicy: Always secretName: <apic-instance-name>-ptl-replication-client
- Apply this yaml file with:
oc apply -f ptl-tls-client-cert.yaml -n <portal namespace>
- Verify that the certificate was created with:
oc get certs -n <portal namespace> NAME READY SECRET AGE EXPIRATION ... <apic-instance-name>-ptl-replication-client True <apic-instance-name>-ptl-replication-client 16m 2024-08-17T13:04:27Z
- Create a yaml file that is called
- Export the ingress-ca issuer secret. The ingress-ca issuer secret must be the same on the warm-standby data center. Export it from the active so that it can be imported on the warm-standby data center.
- Run the following command to export the secret to a file called
ca-issuer-secret.yaml
:oc get secret <apic-instance-name>-ingress-ca -o yaml -n <namespace> > ca-issuer-secret.yaml
- Edit the
ca-issuer-secret.yaml
file to remove the creationTimestamp, resourceVersion, uid, and managedFields. Remove the labels and annotations sections completely. The contents should look like this:apiVersion: v1 data: ca.crt: <long cert string> tls.crt: <long cert string> tls.key: <long cert string> kind: Secret metadata: name: <apic-instance-name>-ingress-ca namespace: <namespace> type: kubernetes.io/tls
- Run the following command to export the secret to a file called
- Copy the following files from your
2dcdr-active-yamls
directory to the2dcdr-ws-yamls
directory in your warm-standby data center.
These files are required to ensure that the ingress-ca and encryption secrets on both sites are the same.ca-issuer-secret.yaml mgmt-enc-key.txt ptl-enc-key.txt
Tip: To save time during the preparation of your warm-standby data center you can also copy these yaml files:ptl-tls-client-cert.yaml mgmt-tls-client-cert.yaml ingress-issuer.yaml