Copying renewed ingress-ca to subsystems in different namespaces

When the ingress CA certificate on the management subsystem is renewed, you must copy the renewed certificate to any subsystems that are in a different namespace.

Before you begin

Complete the steps in Renewing the ingress-ca to renew the ingress CA in your management subsystem namespace.
Note: If all your API Connect subsystems are in the same namespace, you do not need to follow this procedure.

About this task

The ingress CA signs all the inter-subsystem communication certificates that are used between API Connect subsystems. If your subsystems are installed in different namespaces, then the ingress CA must be manually synchronized across all those namespaces.

These steps must be repeated for all namespaces where you have subsystems that are registered with your management subsystem.

For more information about API Connect certificates, see API Connect TLS certificates.

Procedure

  1. Export the management namespace ingress CA secret to a YAML file called ingress-ca.yaml:
    kubectl -n <management namespace> get secret ingress-ca -o yaml > ingress-ca.yaml
  2. Edit ingress-ca.yaml and remove all metadata fields except for the secret name. The resulting file contents look like this:
    apiVersion: v1
    data:
      ca.crt: ...
      tls.crt: ...
      tls.key ...
    kind: Secret
    metadata:
      name: ingress-ca
    type: kubernetes.io/tls
  3. Apply the updated the ingress-ca.yaml in the namespace of the other subsystem:
    kubectl -n <other subsystem namespace> apply -f ingress-ca.yaml
  4. Verify that the ingress CA is now identical in both namespaces.
    1. Extract your ingress-ca secret to a file in your management namespace:
      kubectl -n <management namespace> get secrets ingress-ca -o yaml | grep tls.crt | grep -v 'f:tls' | awk '{print $2}' | base64 -d > ingress.pem.mgmt
    2. Extract your ingress-ca secret to a file in your other subsystems' namespace:
      kubectl -n <other subsystem namespace> get secrets ingress-ca -o yaml | grep tls.crt | grep -v 'f:tls' | awk '{print $2}' | base64 -d > ingress.pem.other
    3. Verify that the files that are created for each namespace are identical:
      diff ingress.pem.mgmt ingress.pem.mgmt 
  5. Run the following command to renew all the ingress-ca end-entity certificates in the other subsystems' namespace:
    kubectl get secrets -n <other subsystem namespace> -o custom-columns='NAME:.metadata.name,ISSUER:.metadata.annotations.cert-manager\.io/issuer-name' --no-headers=true | grep ingress-issuer | awk '{ print $1 }' | xargs kubectl delete secret -n <other subsystem namespace>