Updating custom hostname and TLS secret by using a configmap

You can change the custom hostname and certificates for the cp-console route by running a script.

Note: These instructions are for changing only the cp-console route hostname and certificates.

Before you begin

Keep your new hostname and certificates ready.

• Create the custom hostname. If you modify the default Red Hat® OpenShift® Container Platform domain, ensure that the new hostname can resolve to the Red Hat OpenShift router from inside and outside the Red Hat OpenShift cluster.

• If you are providing new certificates, create them in an unencrypted PEM format.

  • ca.crt: Contains the intermediate CA signer certificates and the CA root signer certificate. The file must start with the intermediate CA certificates in order that leads to the root CA.

  • tls.crt: Contains only the route server certificate.

    Note: The route server certificate passes the TLS verification for the route hostname.

  • tls.key: Contains the private key of the route server certificate.

    See the following example of PEM encoding that uses header and footer lines for each certificate and private key.

    -----BEGIN CERTIFICATE-----
    (encoded set of characters)
    -----END CERTIFICATE-----
    
    -----BEGIN PRIVATE KEY-----
    (encoded set of characters)
    -----END PRIVATE KEY-----
    

Procedure

Complete the following steps to change the custom hostname and certificates of the cp-console route.

1. Create a cs-onprem-tenant-config.yaml file with the following configmap definition. In the data section, provide your custom hostname. If you are providing new certificates, do not change the name of the custom_host_certificate_secret secret.

    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: cs-onprem-tenant-config
      namespace: <your-foundational-services-namespace>
    labels:
      cs_onprem_tenant_config: "true"
    data:
      ##comment out or remove this setting if not changing the hostname
      custom_hostname: <hostname>
      ##comment out or remove this setting if not changing the certificates
      custom_host_certificate_secret: custom-tls-secret
   

2. Create the cs-onprem-tenant-config configmap.

   oc apply -f cs-onprem-tenant-config.yaml -n <your-foundational-services-namespace>
   

3. Apply the updates to your cluster by running a script, which is available with the CASE bundle. The CASE bundle is used for installing foundational services in a disconnected environment. For more information about installing the ibm-pak plug-in and downloading the bundle, see Installing your IBM Cloud Pak by mirroring Cloud Pak images to a private container registry (with ibm-pak plug-in). Or, you can use the following commands to get the script and use it.

   1. Create the following environment variable with the CASE version. To find the CASE version, see cloud-pak CASE repository.

       export CASE_VERSION=<YOUR_CASE_VERSION>
      

   2. Get the script.

       wget https://github.com/IBMPrivateCloud/cloud-pak/blob/master/repo/case/ibm-cp-common-services/$CASE_VERSION/ibm-cp-common-services-$CASE_VERSION.tgz
      

   3. Extract the bundle.

       tar -xvzf ibm-cp-common-services-$CASE_VERSION.tgz
      

   4. Change directory to the installer_scripts folder. The cs-onprem-tenant-config.sh script is in the folder.

       cd ibm-cp-common-services/inventory/ibmCommonServiceOperatorSetup/installer_scripts
      

   5. If your cluster topology has a separate namespace for all operators, identify that namespace and set it as the default namespace. You must also update the script. For more information about operatorNamespace, see Parameters in the CommonService CR.

      1. Locate the operatorNamespace in the common-service CR.

         oc describe cr common-service -n <your-foundational-services-namespace> | grep operatorNamespace
         

         1. Set the operatorNamespace value as the default namespace.

            oc project <operatorNamespace-value>
            

         2. Insert the following lines at line number 23 in the cs-onprem-tenant-config.sh script.

            csNamespace="<operatorNamespace>"
            map_to_common_service_namespace="<your-cloud-pak-namespace>"
            

   6. Run the script. If your cluster topology has a separate namespace for all operators, run the script from that namespace.

       ./cs-onprem-tenant-config.sh
      

The script completes the following tasks:

• Identifies your topology type: simple topology or separation of data (SOD) topology.

• Uses namespaces from the common_service_maps configmap that is in the kube-public namespace. The common_service_maps` configmap has all the namespaces in a tenant.

• If your cluster topology has a separate namespace for all operators, the script runs the iam-custom-hostname job in that namespace.

• Updates the custom hostname in all applicable identity management (IM) components.

• Restarts the pods with the following labels:

  • app=platform-auth-service
  • app=platform-identity-provider
  • name=ibm-zen-operator
  • component=usermgmt

Result

After you run the script, the cp-console route is updated with the new hostname. You can also see the new certificates, if applicable, in your browser when you access the cp-console URL.

Reverting the updates

If you need to revert to the previous hostname and certificate, repeat the steps in Procedure by using the previous hostname.