Changing the default root CA signer certificate
About this task
If the CP4BA custom resource root_ca_secret parameter does not have a value or does not exist, the operator generates the secret with a self-signed root CA signer certificate. The expiration period for these self-signed certificates is two years. The CP4BA operator automatically detects the expiration date 24 hours before it expires, it then renews the self-signed certificates and restarts the pods. No further action is needed for the certificates to continue to work.
If your policy requires a recognized certificate authority to sign the certificates, you can provide your own root CA. To use your own root CA certificate, obtain or prepare the CA certificate and create a secret for it before you deploy your custom resource. If you have multiple deployments and you want to use the same root CA, copy the secret and use the same certificates in each deployment in separate namespaces.
When you enter your parameter values in the custom resource .yaml file, you provide the name of this secret as the value for the root_ca_secret parameter in the shared configuration section.
If you want to use your own root CA certificate, use the following steps to add it to the operator.
Procedure
What to do next
When your certificates expire, you must take the following actions to renew the secrets:
- Update or re-create the secret with the updated certificates.
- Restart the corresponding pods that are associated with the secret.