Kubernetes secret synchronization
Synchronize the data encryption keys, the $RELEASENAME-cem-model-secret
secret, across the two clusters. Use either the standard recovery procedure or the alternative
procedure.
Procedure
- Standard procedure (During initial installation)
If Netcool® Operations Insight® is not installed in the backup cluster, then do the following steps to ensure that a single set of encryption keys is used by both the clusters. If both the clusters are installed, then you must follow the process in the alternative procedure section.
- Install Netcool Operations Insight on the primary cluster.
- Run the following command to read the data part of the secret from the primary cluster and store
it in a JSON
file:
Example output of theoc get secret $RELEASENAME-cem-model-secret -o=jsonpath='{.data}' > cem-model-secret-data.json
cat cem-model-secret-data.json
command:{"hkeyname":"AAA","hkeyvalue":"BBB","keyname":"XXX","keyvalue":"YYY"}
- Copy the
cem-model-secret-data.json
file to the backup cluster. Run the following command to create the secret on the backup cluster:oc create secret generic $RELEASENAME-cem-model-secret oc patch secret $RELEASENAME-cem-model-secret -p '{"data": '$(cat cem-model-secret-data.json)'}'
- Install Netcool Operations Insight in the backup cluster.
- Alternative procedure (After initial installation)Important: Ensure that you have jq 1.6 installed. You can install jq through operating system package managers, or download from https://stedolan.github.io/jq/.If both the primary and backup clusters are installed, then do the following steps to synchronize the encryption keys that are used by both the clusters.Note: You do not need to follow this procedure if you completed the steps in the standard procedure section.
- Save the model secrets from each cluster into separate files.
- On the primary cluster, run the following
command:
oc get secret $RELEASENAME-cem-model-secret -o json > primary-model-secret.json
- On the backup cluster, run the following
command:
oc get secret $RELEASENAME-cem-model-secret -o json > backup-model-secret.json
- Copy both the
model-secret.json
files into the same location onto the same cluster.
- On the primary cluster, run the following
command:
- Save the following script into
merge-model-secrets.sh
into the same location where you have saved themodel-secret.json
files.jq -s '[.[].data|[to_entries[]|.value|=@base64d]|from_entries]| {data:{ hkeyname: (.[0].hkeyname|@base64), hkeyvalue: (.[0].hkeyvalue|@base64), oldhkeys: ( {keys:( [ (.[1:][]|{key:.hkeyname,value:.hkeyvalue}), (.[].oldhkeys|select(.)|fromjson|to_entries[].value[]|{key:.name,value}) ] | from_entries | to_entries | [.[]|{name:.key,value}] )} | @base64), keyname: (.[0].keyname|@base64), keyvalue: (.[0].keyvalue|@base64), oldkeys: ( {keys:( [ (.[1:][]|{key:.keyname,value:.keyvalue}), (.[].oldkeys|select(.)|fromjson|to_entries[].value[]|{key:.name,value}) ] | from_entries | to_entries | [.[]|{name:.key,value}] )} | @base64) }}' "$@"
- Copy
primary-model-secret.json
andbackup-model-secret.json
to the location where you have saved the script. Then, run the following commands:chmod u+x merge-model-secrets.sh sh merge-model-secrets.sh primary-model-secret.json backup-model-secret.json > model-secret-patch.json
- Copy
model-secret-patch.json
to both the clusters, and then run the following command on each cluster:oc patch secret $RELEASENAME-cem-model-secret --patch-file model-secret-patch.json
- Delete the RBA pods on the backup cluster and allow Kubernetes to redeploy the pods. Deleting
the RBA pods on the backup cluster ensures that the new secrets are used by the running
processes.CAUTION:This action causes a temporary outage until Kubernetes starts the new pods again.
oc delete pod -l component=rba-as oc delete pod -l component=rba-rbs oc delete pod -l component=scheduling-ui oc delete pod -l component=brokers oc delete pod -l component=cem-users oc delete pod -l component=channelservices oc delete pod -l component=eventpreprocessor oc delete pod -l component=incidentprocessor oc delete pod -l component=integration-controller oc delete pod -l component=normalizer oc delete pod -l component=notificationprocessor
- Optional: Delete the couchdb pod on the backup cluster by running the following
command:
Then, restart the pods:oc debug --image=ubi8 $(oc get pods -l component=rba-rbs | awk '{ print $1 }' | tail -n 1) -- /bin/bash -c 'IFS=","; BASEURL="${RBA_DATABASE_CLUSTER_PROTOCOL}://${RBA_DATABASE_CLUSTER_USER}:${RBA_DATABASE_CLUSTER_PASSWORD}@${RBA_DATABASE_CLUSTER_HOST}:${RBA_DATABASE_CLUSTER_PORT}"; for i in $(curl $BASEURL/_all_dbs -s); do DATABASE=$(echo $i | sed "s/\[//g" | sed "s/\"//g" | sed "s/\]//g"); if [[ $DATABASE != _* ]]; then echo -n "Deleting database ${DATABASE}..."; curl -X DELETE $BASEURL/$DATABASE -s; echo "done"; fi; done'
oc delete pod -l component=rba-as oc delete pod -l component=rba-rbs oc delete pod -l component=scheduling-ui oc delete pod -l component=brokers oc delete pod -l component=cem-users oc delete pod -l component=channelservices oc delete pod -l component=eventpreprocessor oc delete pod -l component=incidentprocessor oc delete pod -l component=integration-controller oc delete pod -l component=normalizer oc delete pod -l component=notificationprocessor
- Save the model secrets from each cluster into separate files.