Updating cp-console hostname and TLS secret by using a configmap

You can change the cp-console hostname with the custom hostname and certificates for the cp-console route by running a script.

Note: These instructions are for changing only the cp-console route hostname and certificates.

Before you begin

Keep your new hostname and certificates ready.

Procedure

You can update the custom hostname with one of the following methods:

Updating a custom hostname using the script

Complete the following steps to change the custom hostname and certificates of the cp-console route.

  1. Create a cs-onprem-tenant-config.yaml file with the following configmap definition. In the data section, provide your custom hostname. If you are providing new certificates to update the TLS secret, do not change the name of the custom_host_certificate_secret secret in the configmap.

    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: cs-onprem-tenant-config
      namespace: $csNamespace
    labels:
      cs_onprem_tenant_config: "true"
    data:
      ##comment out or remove this setting if not changing the hostname
      custom_hostname: <hostname>
      ##comment out or remove this setting if not changing the certificates
      custom_host_certificate_secret: custom-tls-secret
    
  2. Create the cs-onprem-tenant-config configmap.

    oc apply -f cs-onprem-tenant-config.yaml -n $csNamespace
    
  3. Download and extract the installer scripts for your CASE bundle.

    export CASE_VERSION=4.10     
    
    wget [https://github.com/IBM/cloud-pak/raw/master/repo/case/ibm-cp-common-services/${CASE_VERSION}/ibm-cp-common-services-${CASE_VERSION}.tgz](https://github.com/IBM/cloud-pak/raw/master/repo/case/ibm-cp-common-services/$%7BCASE_VERSION%7D/ibm-cp-common-services-$%7BCASE_VERSION%7D.tgz)
    
    tar -xvzf ibm-cp-common-services-$CASE_VERSION.tgz
    
    cd ibm-cp-common-services/inventory/ibmCommonServiceOperatorSetup/installer_scripts
    

    Replace CASE_VERSION with the foundational services version.

  1. Run the script. If your cluster topology has a separate namespace for all operators, run the script from that namespace.

    ./cs-onprem-tenant-config.sh
    

    If you see the following error, it means that you did not provide the new certificate files for TLS secret in the ${installer_scripts} directory. To resolve the issue, place the certificate files and run the script again.

    tls.key is not present in current directory, pls keep tls.key, tls.crt and ca.crt files in current directory
    

    The script completes the following tasks:

    • Identifies your topology type: simple topology or separation of data (SOD) topology.

    • Uses namespaces from the common_service_maps configmap that is in the kube-public namespace. The common_service_maps` configmap has all the namespaces in a tenant.

    • Creates a TLS secret if you provided new certificate files.

    • If your cluster topology has a separate namespace for all operators, the script runs the iam-custom-hostname job in that namespace.

    • Updates the custom hostname in all applicable identity management (IM) components.

    • Restarts the pods with the following labels:

      • app=platform-auth-service
      • app=platform-identity-provider
      • name=ibm-zen-operator
      • component=usermgmt
  1. If you are providing new certificates for TLS secret, place the tls.key, tls.crt, and ca.crt files in the ${installer_scripts} directory. Run the script to create the TLS secret with the required certificate files.

    To change the host name and use the selfsigned certificate, see Before you begin to prepare your cert and tls files.

Updating a custom hostname using the ibmcloud-cluster-info configmap

Complete the following steps to update the custom hostname with the ibmcloud-cluster-info configmap:

  1. Update the cluster_address and cluster_endpoint parameters in the ibmcloud-cluster-info configmap.

    oc edit cm ibmcloud-cluster-info -n cpfs-data
    

    The following is the sample ibmcloud-cluster-info configmap:

    apiVersion: v1
    data:
      cluster_address: <hostname>-cpfs-data.apps.ocp415-qb.cp.fyre.ibm.com.              
      cluster_endpoint: https://<hostname>-cpfs-data.apps.ocp415-qb.cp.fyre.ibm.com      
      cluster_kube_apiserver_host: api.ocp415-qb.cp.fyre.ibm.com
      cluster_kube_apiserver_port: "6443"
      cluster_name: mycluster
      cluster_router_http_port: "80"
      cluster_router_https_port: "443"
      im_idmgmt_endpoint: https://platform-identity-management.cpfs-data.svc:4500
      im_idprovider_endpoint: https://platform-identity-provider.cpfs-data.svc:4300
      proxy_address: cp-proxy-cpfs-data.apps.ocp415-qb.cp.fyre.ibm.com
    kind: ConfigMap
    

    Replace <hostname> with the custom hostname.

  2. Wait for the IM pods to restart.

    platform-auth-service-xxx
    platform-identity-management-xxx
    platform-identity-provider-xxx
    
  3. Restart Zen pods with the following label:

    name=ibm-zen-operator
    component=usermgmt
    
    1. Get the usermgmt pod names.

      oc get pods |grep usermgmt
      
    2. Delete the usermgmt pods.

      oc delete pod <usermgmt-pod-name>
      

    You can login to cp-console and cpd with the updated hostname after the restart of the Zen pods.

Result

After you run the script, the cp-console route is updated with the new hostname. You can also see the new certificates, if applicable, in your browser when you access the cp-console URL.

Restore SAML

After you change the certificate, the Security Assertion Markup Language (SAML) connection breaks. You must update the SAML metadata with the new certificate information to restore the connection. For more information, see Identity and access management migration.

Reverting the updates

If you need to revert to the previous hostname and certificate, repeat the steps in Procedure by using the previous hostname.

To revert to the default name for cp-console, complete the following steps:

  1. Update the cs-onprem-tenant-config ConfigMap to set the default name in the custom_hostname parameter.

    oc -n <your-foundational-services-namespace> edit configmap cs-onprem-tenant-config
    
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: cs-onprem-tenant-config
      namespace: $csNamespace
    labels:
      cs_onprem_tenant_config: "true"
    data:
      ##comment out or remove this setting if not changing the hostname
      custom_hostname: <Default hostname>
      ##comment out or remove this setting if not changing the certificates
      custom_host_certificate_secret: custom-tls-secret
    
  2. Run the script again.

    ./cs-onprem-tenant-config.sh
    
  3. To restore the default certificates, delete the cp-console route.

    oc get route -n <your-foundational-services-namespace>
    
    oc delete route cp-console  -n <your-foundational-services-namespace>