Update the certificate that secures communication between gateways in your API Connect
deployment.
About this task
This task covers updating the
gateway peering certificate, which is used to secure communication
between gateway cluster members, on Kubernetes and OpenShift deployments.
Note: For gateway appliance
deployments, you must manually update the Gateway Peering Identification Credential and Validation
Credential objects.
The gateway peering certificate is stored in a Kubernetes secret. To update the certificate,
delete this secret so that the cert-manager creates a new
secret that contains a new peering certificate.
Important: If you are updating the peering certificate because you updated the
ingress-ca certificate, then the update causes a gateway outage
and the gateway pods must be manually restarted.
Procedure
-
Determine the name of your gateway cluster CR:
kubectl get GatewayCluster
-
Determine the name of the gateway peering secret:
kubectl get -o yaml gatewayCluster <gateway cluster>
where <gateway cluster> is the name that you obtained in step 1.
The name of the secret is defined in
spec.apicGatewayPeeringTLS.secretName, for
example:
spec:
...
apicGatewayPeeringTLS:
secretName: apic-ocp-gw-peer
-
Delete the gateway peering secret:
kubectl delete secret <gateway peering secret>
where
<gateway peering secret> is the name that you identified in step
2.
A new gateway peering secret is created and a rollout restart of the gateway statefulset is
triggered.
- If the
ingress-ca certificate was also updated, then the rollout restart
does not complete, and you must restart the gateway pods manually:
kubectl delete pod <gw pod1> <gw pod2> <gw pod3>
-
To verify the update, check the age of the gateway peering secret to confirm a new secret was
created:
kubectl get secret <gateway peering secret>
NAME TYPE DATA AGE
<gateway peering secret> kubernetes.io/tls 3 30s