When the ingress CA certificate on the management subsystem is renewed, you must copy the
renewed certificate to any subsystems that are in a different namespace.
Before you begin
Complete the steps in Renewing the ingress-ca to renew
the ingress CA in your management subsystem namespace.Note: If all your API Connect subsystems are
in the same namespace, you do not need to follow this procedure.
About this task
The ingress CA signs all the inter-subsystem communication certificates that are used between API Connect subsystems. If
your subsystems are installed in different namespaces, then the ingress CA must be manually
synchronized across all those namespaces.
These steps must be repeated for all namespaces where you have subsystems that are registered
with your management subsystem.
For more information about API Connect certificates,
see API Connect TLS certificates.
Procedure
- Export the management namespace ingress CA secret to a YAML file called
ingress-ca.yaml:
kubectl -n <management namespace> get secret ingress-ca -o yaml > ingress-ca.yaml
- Edit
ingress-ca.yaml
and remove all metadata
fields
except for the secret name. The resulting file contents look like this:
apiVersion: v1
data:
ca.crt: ...
tls.crt: ...
tls.key ...
kind: Secret
metadata:
name: ingress-ca
type: kubernetes.io/tls
- Apply the updated the
ingress-ca.yaml
in the namespace of the other
subsystem:
kubectl -n <other subsystem namespace> apply -f ingress-ca.yaml
- Verify that the ingress CA is now identical in both namespaces.
- Extract your
ingress-ca
secret to a file in your management
namespace:
kubectl -n <management namespace> get secrets ingress-ca -o yaml | grep tls.crt | grep -v 'f:tls' | awk '{print $2}' | base64 -d > ingress.pem.mgmt
- Extract your
ingress-ca
secret to a file in your other subsystems'
namespace:
kubectl -n <other subsystem namespace> get secrets ingress-ca -o yaml | grep tls.crt | grep -v 'f:tls' | awk '{print $2}' | base64 -d > ingress.pem.other
- Verify that the files that are created for each namespace are identical:
diff ingress.pem.mgmt ingress.pem.mgmt
- Run the following command to renew all the
ingress-ca
end-entity
certificates in the other subsystems' namespace:
kubectl get secrets -n <other subsystem namespace> -o custom-columns='NAME:.metadata.name,ISSUER:.metadata.annotations.cert-manager\.io/issuer-name' --no-headers=true | grep ingress-issuer | awk '{ print $1 }' | xargs kubectl delete secret -n <other subsystem namespace>