Limitations of the CA update Tool for TCA
search cancel

Limitations of the CA update Tool for TCA

book

Article ID: 384257

calendar_today

Updated On:

Products

VMware Telco Cloud Automation

Issue/Introduction

The CA update tool has limitations, lack of support for single-cluster updates, and reliance on manual file renaming for proper functionality.

Environment

2.0, 2.1, 2.3, 3.1

Cause

The observed limitations and behaviors of the CA update tool stem from its design and functionality priorities:

  1. Appending vs. Replacing Behavior:

    • The decision to append changes when updating kapp-controller-config ensures compatibility with the Harbor addon, which also modifies this configuration. Replacing it could unintentionally remove critical CA certificates.

  2. Node-Level CA Certificate Updates:

    • The requirement to rename .crt files to .pem arises from system and rehash compatibility needs. This ensures proper recognition and functionality within the node's operating system.

  3. Single Cluster Updates:

    • The tool currently operates at a global scope rather than a cluster-specific level. This limitation is due to the lack of code support for per-cluster updates in TCA 2.3.

These causes reflect intentional design choices and existing operational constraints, with future improvements planned for addressing known limitations like single-cluster updates.

Resolution

  1. Tool Behavior with kapp-controller-config

    • The tool appends changes when updating kapp-controller-config, while other resources are replaced.

    • This behavior is by design because the Harbor addon also updates the kapp-controller-config. Replacing it would remove any Harbor addon-configured CA certificates, if present.

  2. Updating CA Certificates on Nodes

    • The process is performed by running the Ansible playbook on each node.

    • You can find the playbook in the tool folder under ansible/update_node_ca.yml.

    • Note: The certificate file /etc/ssl/certs/<airgap fqdn>.crt should be renamed to use the .pem extension so it can be correctly recognized by rehash and the system.

  3. Updating Annotations in TKG Documentation

    • This is not required, as the update process runs on all nodes using the Ansible playbook rather than a rolling update or node recreation.

    • The update-ca tool enables in-place updates, eliminating the need for rolling updates or manual node redeployment.

    • This suggestion is guiding users to update CA certificates on every node by following the tkg way, so that all the nodes will be rolling updates (redeployed) when doing it manually.

    • The update-ca tool provides an in-place update, so there is no need to follow the TKG process when using update-ca instead of doing it manually.

  4. Tool Verification Process

    • Users can verify the update by logging into each node and using curl to check connectivity with the Airgap server.

    • The tool already includes a verify_nodes function to ensure all resources are updated. After running the update command, the tool also attempts to pull an image from the Airgap server as part of the verification process.

  5. Single Cluster Update

    • Updating a single cluster is not supported in TCA 2.3 and would require code changes to enable this functionality.

    • In future versions, we plan to include single-click operations to update certificates across all nodes managed by the respective Airgap server.

This functionality is supported only for v2.3 in the current tool.

Additional Updates

  • All version scripts are included in the v2.1.tar file. This version fixes some bugs and updates error messages.
  • Please download the CA tool update from update-ca-v2.1.tar.gz and upload it to the TCA CP appliance.
  • After extracting it, use the corresponding script version for your TCA version.
Transfer the tarball to TCA CP appliance.
# scp update-ca-v2.1.tar.gz admin@<tcacpip>:~
# scp ca.crt admin@<tcacpip>:~
# ssh admin@<tcacpip>
[admin@tcacp ~]$ su
Password:
[root@tcacp /home/admin] ls
update-ca-v2.1.tar.gz
[root@tcacp /home/admin] tar vxfz update-ca-v2.1.tar.gz
[root@tcacp /home/admin] ls
update-ca update-ca-v2.1.tar.gz
[root@tcacp /home/admin] cd update-ca
[root@tcacp /home/admin/update-ca] ls
ansible update_ca.py
[root@tcacp /home/admin/update-ca] ./update_ca.py -h

The CA update tool in TCA is designed to streamline certificate updates while preserving compatibility with existing configurations, like the Harbor addon. While there are some limitations, such as single-cluster updates, these are expected to be resolved in future versions. Users are encouraged to follow the provided steps to avoid issues and ensure a smooth update process.

See the attached TCA_2.3 - Deployment Guide.pdf document

Attachments

TCA_2.3 - Deployment Guide.pdf get_app
Powered by Wolken Software