Preparing your warm-standby data center
Create the secrets, certificates, and issuers that are needed for your warm-standby data center to replicate with the active.
About this task
All operations are done on the CLI, in the 2dcdr-ws-yamls
directory
you created in Planning and initial preparation.
In the yaml files and commands that are shown here, replace
<namespace>
with the name of the corresponding subsystem namespace.
Procedure
-
Import the ingress-ca issuer secret. This secret was created on your active data center here: Preparing your active data center
- If you did not do it as part of Preparing your active data center, copy
the
ca-issuer-secret.yaml
file to your warm-standby data center. - Create the secret with:
oc apply -f ca-issuer-secret.yaml -n <namespace>
- Verify that the secret was created with:
oc get secret -n <namespace> NAME TYPE DATA AGE ingress-ca kubernetes.io/tls 3 19h
- If your Portal subsystem is in a different namespace in your warm-standby data center, then
repeat the
oc apply
operation against the portal namespace.
- If you did not do it as part of Preparing your active data center, copy
the
- Create a file that is called
warm-standby-certs.yaml
and paste in:# # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # --- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: selfsigning-issuer labels: { app.kubernetes.io/instance: "management", app.kubernetes.io/managed-by: "ibm-apiconnect", app.kubernetes.io/name: "selfsigning-issuer" } spec: selfSigned: {} --- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: ingress-issuer labels: { app.kubernetes.io/instance: "management", app.kubernetes.io/managed-by: "ibm-apiconnect", app.kubernetes.io/name: "ingress-issuer" } spec: ca: secretName: ingress-ca --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: portal-admin-client labels: { app.kubernetes.io/instance: "management", app.kubernetes.io/managed-by: "ibm-apiconnect", app.kubernetes.io/name: "portal-admin-client" } spec: subject: organizations: - cert-manager commonName: portal-admin-client secretName: portal-admin-client issuerRef: name: ingress-issuer usages: - "client auth" - "signing" - "key encipherment" duration: 17520h # 2 years renewBefore: 720h # 30 days privateKey: rotationPolicy: Always secretTemplate: labels: app.kubernetes.io/instance: "management" app.kubernetes.io/managed-by: "ibm-apiconnect" app.kubernetes.io/name: "portal-admin-client" --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: gateway-client-client labels: { app.kubernetes.io/instance: "management", app.kubernetes.io/managed-by: "ibm-apiconnect", app.kubernetes.io/name: "gateway-client-client" } spec: subject: organizations: - cert-manager commonName: gateway-client-client secretName: gateway-client-client issuerRef: name: ingress-issuer usages: - "client auth" - "signing" - "key encipherment" duration: 17520h # 2 years renewBefore: 720h # 30 days privateKey: rotationPolicy: Always secretTemplate: labels: app.kubernetes.io/instance: "management" app.kubernetes.io/managed-by: "ibm-apiconnect" app.kubernetes.io/name: "gateway-client-client" --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: analytics-ingestion-client labels: { app.kubernetes.io/instance: "management", app.kubernetes.io/managed-by: "ibm-apiconnect", app.kubernetes.io/name: "analytics-ingestion-client" } spec: subject: organizations: - cert-manager commonName: analytics-ingestion-client secretName: analytics-ingestion-client issuerRef: name: ingress-issuer usages: - "client auth" - "signing" - "key encipherment" duration: 17520h # 2 years renewBefore: 720h # 30 days privateKey: rotationPolicy: Always secretTemplate: labels: app.kubernetes.io/instance: "management" app.kubernetes.io/managed-by: "ibm-apiconnect" app.kubernetes.io/name: "analytics-ingestion-client" --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: gateway-service labels: { app.kubernetes.io/instance: "gatewaycluster", app.kubernetes.io/managed-by: "ibm-apiconnect", app.kubernetes.io/name: "gateway-service" } spec: subject: organizations: - cert-manager commonName: gateway-service secretName: gateway-service issuerRef: name: ingress-issuer usages: - "client auth" - "signing" - "key encipherment" duration: 17520h # 2 years renewBefore: 720h # 30 days privateKey: rotationPolicy: Always secretTemplate: labels: app.kubernetes.io/instance: "gatewaycluster" app.kubernetes.io/managed-by: "ibm-apiconnect" app.kubernetes.io/name: "gateway-service" --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: gateway-peering labels: { app.kubernetes.io/instance: "gatewaycluster", app.kubernetes.io/managed-by: "ibm-apiconnect", app.kubernetes.io/name: "gateway-peering" } spec: subject: organizations: - cert-manager commonName: gateway-peering secretName: gateway-peering issuerRef: name: ingress-issuer usages: - "server auth" - "client auth" - "signing" - "key encipherment" duration: 17520h # 2 years renewBefore: 720h # 30 days privateKey: rotationPolicy: Always secretTemplate: labels: app.kubernetes.io/instance: "gatewaycluster" app.kubernetes.io/managed-by: "ibm-apiconnect" app.kubernetes.io/name: "gateway-peering"
- Apply this file by running against your Management subsystem namespace:
oc apply -f warm-standby-certs.yaml -n <namespace>
- Verify that the certificates, secrets, and issuers were created with:
oc get secrets -n <namespace> NAME TYPE DATA AGE analytics-ingestion-client kubernetes.io/tls 3 12s gateway-client-client kubernetes.io/tls 3 21s gateway-peering kubernetes.io/tls 3 11s gateway-service kubernetes.io/tls 3 21s ingress-ca kubernetes.io/tls 3 18m portal-admin-client kubernetes.io/tls 3 17s oc get certificates -n <namespace> NAME READY SECRET AGE EXPIRATION analytics-ingestion-client True analytics-ingestion-client 2m18s 2024-09-04T12:27:38Z gateway-client-client True gateway-client-client 2m19s 2024-09-04T12:27:28Z gateway-peering True gateway-peering 2m17s 2024-09-04T12:27:39Z gateway-service True gateway-service 2m18s 2024-09-04T12:27:28Z portal-admin-client True portal-admin-client 2m19s 2024-09-04T12:27:33Z oc get issuers -n <namespace> NAME READY AGE ingress-issuer True 18m selfsigning-issuer True 2m42s
- If your Portal subsystem is in a different namespace in your warm-standby data center, then to
create your certificates, issuers, and secrets in the Portal subsystem namespace:
- Create a file that is called
warm-standby-ptl-certs.yaml
and paste in:# # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # --- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: selfsigning-issuer labels: { app.kubernetes.io/instance: "management", app.kubernetes.io/managed-by: "ibm-apiconnect", app.kubernetes.io/name: "selfsigning-issuer" } spec: selfSigned: {} --- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: ingress-issuer labels: { app.kubernetes.io/instance: "management", app.kubernetes.io/managed-by: "ibm-apiconnect", app.kubernetes.io/name: "ingress-issuer" } spec: ca: secretName: ingress-ca
- Apply this file to your Portal subsystem namespace:
oc apply -f warm-standby-certs.yaml -n <namespace>
- Verify that your issuers and secrets were created successfully:
oc get issuers -n <portal namespace> NAME READY AGE ingress-issuer True 43s selfsigning-issuer True 43s oc get secrets -n <portal namespace> NAME TYPE DATA AGE ingress-ca kubernetes.io/tls 3 4m18s
- Create a file that is called
- Create the encryption key secrets for the Management and Portal subsystems, by using the
random string generated on the active data center. Use the
mgmt-enc-key.txt
andptl-enc-key.txt
files that were copied to your warm-standby data center when you followed Preparing your active data center.- Run the following command to create the management encryption
key secret:
oc create secret generic mgmt-encryption-key --from-file=encryption_secret.bin=mgmt-enc-key.txt -n <management namespace>
- Confirm that the secret was created successfully by
running:
oc get secrets -n <management namespace> | grep mgmt-encryption-key mgmt-encryption-key Opaque 1 83s
- Run the following command to create the portal encryption
key secret:
oc create secret generic ptl-encryption-key --from-file=encryption_secret=ptl-enc-key.txt -n <portal namespace>
- Confirm that the secret was created successfully by
running:
oc get secrets -n <portal namespace> | grep ptl-encryption-key ptl-encryption-key Opaque 1 15s
- Run the following command to create the management encryption
key secret:
- Create the TLS client replication certificates for Management
and Portal.
- Create a yaml file that is called
mgmt-tls-client-cert.yaml
and paste in the following contents:apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: mgmt-replication-client spec: commonName: mgmt-replication-client duration: 17520h0m0s issuerRef: kind: Issuer name: ingress-issuer renewBefore: 720h0m0s privateKey: rotationPolicy: Always secretName: mgmt-replication-client
- Apply this yaml file with:
oc apply -f mgmt-tls-client-cert.yaml -n <management namespace>
- Verify that the certificate was created with:
oc get certs -n <management namespace> NAME READY SECRET AGE EXPIRATION ... mgmt-replication-client True mgmt-replication-client 16m 2024-08-17T13:04:27Z
- Create a file
ptl-tls-client-cert.yaml
and paste in the following contents:apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: ptl-replication-client spec: commonName: ptl-replication-client duration: 17520h0m0s issuerRef: kind: Issuer name: ingress-issuer renewBefore: 720h0m0s privateKey: rotationPolicy: Always secretName: ptl-replication-client
- Apply this yaml file with:
oc apply -f ptl-tls-client-cert.yaml -n <portal namespace>
- Verify that the certificate was created with:
oc get certs -n <portal namespace> NAME READY SECRET AGE EXPIRATION ... ptl-replication-client True ptl-replication-client 16m 2024-08-17T13:04:27Z
- Create a yaml file that is called