The following procedure details the steps required to renew the certificates for any Management and Workload Clusters, deployed and managed by VMware Telco Cloud Automation (TCA) 2.1.x or 2.2. This procedure is strictly for TCA 2.1.x or 2.2.
Environment
2.1.x, 2.2
Resolution
Prepare the Patch Scripts
Download the cert-rotation-v1-tca-2.1.tar.gz patch file to a local machine.
Unzip the patch file:
tar -xzvf cert-rotation-v1-tca-2.1.tar.gz
Move into the cert-rotation-v1-tca-2.1 folder and unzip the master-kubeconfig-script-main file:
cd cert-rotation-v1
tar -xzvf master-kubeconfig-script-main.tar.gz
Prepare the Telco Cloud Automation-Control Plane Appliances (TCA-CP)
The following steps must be applied to ALL TCA-CP appliances that were deployed and are being managed by TCA.
Note: Replace tca-cp-ipwith the actual IP of the TCA-CP appliance in the upcoming commands.
SSH into the TCA-CP as the admin user:
Run the following command to take a backup of the current appliance-management war file:
Replace the /opt/vmware/hybridity-appliance-management-0.1.0.war file war file with the one downloaded on the local machine by running the following command from the cert-rotation-v1 folder on the local machine:
The clusters.json file provides a list of TCP-CP IPs (tcaCp) along with their cluster’s: expirationDate clusterId mgmtClusterTcaCp(location of the mgmt cluster) mgmtClusterName
Refer to this list to identify clusters requiring certificate renewal and for reference in the upcoming steps.
Renew Management Cluster Certificate
NOTE: Do not run the scripts in parallel. The scripts should not run concurrent to any other process.
SSH into TCA-CP as admin.
Switch to the sudo user using the following command:su–
su –
NOTE: Refer to the cluster.json file for the associated mgmt-cluster-name, control-plane-node-ip, andclusterId values in the upcoming commands.
Obtain one of the control-plane IPs by running either of the following commands: NOTE: This IP is different from the static cluster kube-vip IP.
NOTE: Replace the copied_kubeconfig_file_path with the correct path. NOTE: Refer to the cluster.json file for the associated cluster-name value.
Renew the Workload Cluster Certificate
SSH into the TCA-CP as admin
NOTE: Refer to the mgmtClusterTcaCp from the clusters.json file. This is the TCA-CP where the corresponding management cluster is deployed. admin@mgmtClusterTcaCp
# Switch to sudo user
su –
Renew the workload cluster certificate:
cd /home/admin/cluster-cert-renew
bash cert-renew -wc workload-cluster-name -mc mgmt-cluster-name -t workload
NOTE: Before renewing workload cluster certificates, ensure that the corresponding management cluster certificates have NOT expired. Management cluster certificates must first be renewed.
Additional Information
How to Get Management cluster context in TCA CP There is some corners case reason that cause the management cluster kubeconfig not present on /root/.kube/config which is kubectl default kubeconfig path. the following steps about how to fetch the management cluster kubeconfig and merged into /root/.kube/config.
SSH into the TCA-CP as the admin user.
Switch to the sudo user:
su –
Run the following command to switch to the management cluster. A list is provided if there is a management cluster.