Prerequisite

• Monitor operator is patched on all k8s clusters.
• Steps for applying this patch are listed here Apply monitor operator patch

Download the wfh-cert-automation.tar.gz file and copy to the TCA-M

1. Access linux jumphost with Internet access and download the wfh-cert-automation.tar.gz file:

   curl -LO https://packages.broadcom.com/artifactory/tca-distro/kb/vodafone-3.2.0.1-patch/wfh-cert-automation.tar.gz

2. Copy the file to the /tmp directory of the TCA-M:

   scp wfh-cert-automation.tar.gz admin@<tca-manager ip>:/tmp

Service installation in TCA-M

1. Login to TCA-M and extract the wfh-cert-automation.tar.gz tar file:
cd /tmp 
tar -xvf wfh-cert-automation.tar.gz
cd wfh-cert-automation

2. Switch to root user

   su -

3. Execute deployment script deploy-cert-automation-service.sh
./deploy-cert-automation-service.sh

4. Confirm the cert-automation pod has been deployed and is in a Running state:

   kubectl get pods -n <namespace>

Save workflow hub secrets in TCA-M

1. SSH into TCA Manager as the admin user.

2. Change to the /tmp/wfh-cert-automation directory

3. Open the file with a text editor and update the secret data according to the following table:

   Secret Key	Description
   vcSecrets	Details of vCenter
   tcaWfhSecrets	Details of TCA where WFH is deployed
   tcaCaasSecrets	Details of TCA where clusters are deployed whose analysis is to be done. This can be same TCA where WFH is deployed
   tcaAirgapServerSecrets	Details of Airgap Server. The certificate analysis will be done for this airgap server and analysis report generated (cluster/infra) will be uploaded to this server
   tcaCpSecrets	Details of all TCA-CPs

4. Execute the script to save the Workflow Hub secrets:

   ./save-secrets.sh

   Note: For security reasons, we recommend the secrets.json file be deleted once the secrets have been updated successfully.

Save workflow hub schema in TCA-M

1. Log into the TCA-M UI

2. Go to Workflow Hub → Schemas

3. Click Add Schema.

4. Provide following information into the text box:

   1. 1. Path: /cert-automation

      2. Type: Open API

      3. Description (Optional): Certificate Automation Service Schema

      4. Schema: 

   openapi: 3.0.2
info:
 title: 'Certificate Automation Service'
 version: '1.0.0'
servers:
 - url: http://{tca}
   variables:
     tca:
       default: <TCA-IP>
       description: TCA IP
paths:
 /cert-automation/api/v1/tasks:
   get:
     operationId: list_all_tasks
     description: 'List all certificate analysis/renewal tasks'
     parameters: []
     responses:
       '200':
         content:
           application/json:
             schema:
               type: array
               items:
                 $ref: "#/components/schemas/TaskObject"
         description: ''
     tags:
       - cert-automation
 /cert-automation/api/v1/tasks/{task_id}:
   get:
     operationId: get_task_by_id
     description: 'Get certificate analysis/renewal task by id'
     parameters:
       - name: task_id
         in: path
         required: true
         description: 'Execution Task Id'
         schema:
           type: string
     responses:
       '200':
         content:
           application/json:
             schema:
               $ref: "#/components/schemas/TaskObject"
         description: ''
     tags:
       - cert-automation
 /cert-automation/api/v1/{component}/execute:
   post:
     operationId: execute_task
     description: 'Execute certificate analysis/renewal task'
     parameters:
       - name: component
         in: path
         required: true
         description: 'Component name'
         schema:
           type: string
     requestBody:
       content:
         application/json:
           schema:
             $ref: "#/components/schemas/ExecuteTaskRequest"
     responses:
       '201':
         content:
           application/json:
             schema:
               $ref: "#/components/schemas/TaskObject"
         description: ''
     tags:
       - cert-automation
components:
 schemas:
   TaskObject:
     type: object
     properties:
       task_id:
         type: string
       component:
         type: string
       payload:
         type: string
       status:
         type: string
       created_at:
         type: string
         format: date-time
       last_updated:
         type: string
         format: date-time
       output:
         type: string
         nullable: true
       error:
         type: string
         nullable: true 
   ExecuteTaskRequest:
     type: object
     required:
       - payload
     properties:
       payload:
         type: string

5. Click Add to save the schema.

Import workflow bundle in TCA-M

1. Download the workflows.zip file to a local jumphost that has access to the TCA-M UI:

   curl -LO https://packages.broadcom.com/artifactory/tca-distro/kb/vodafone-3.2.0.1-patch/workflows.zip 

2. Log into the TCA-M UI

3. Go to Workflow Hub → Workflows

4. Click on Import

5. Upload the workflows.zip file and click on Import

Execute workflow to analyze TCA infrastructure certificates

1. Log into TCA-M UI

2. Go to Workflow Hub → Runs

3. Execute the workflow with id: analyze-infra-certificates and version: 1.0.0 to analyze certificates related to the TCP infrastructure (vCenter, TCA, TCA-CP, Airgap Server).

   Example:

   {

       "input": {

           "serviceEndpoint": "<tca-m-ip>:<port>",

           "components": [

               "vc_v2",

               "tca_airgap_server_v2",

               "tca_v2",

               "tcacp_v2"

           ]

       }

   } 

   Note: After successful execution of this workflow, certificate report will be generated, moved to the airgap server. and url to access it will be added in workflow output.

   Note: The serviceEndpoint is the IP address and port of the TCA-M ( <tca-m-ip>). Both can be obtained usig:

   kubectl get svc -n <namespace>

   Note: components is the array containing the components whose certificate analysis is to be done. The supported values are :
   • c_v2 (vCenter)
   • airgap_server_v2 (airgap server)
   • tca_v2 (TCA)
   • tca_cp_v2 (TCA-CP).

    

Execute workflow to analyze cluster certificates

• Login to TCA-M UI

• Go to Workflow Hub → Runs

• Execute the workflow with id: caas-analyze-clusters-certificates and version: 1.0.0 to analyze all clusters certificates.

Note: Upon successful workflow execution, a certificate report will be generated and transferred to the airgap server.

Note: The URL to access this report will then be included in the workflow output. 

Sample input:

{

    "input": {

        "serviceEndpoint": "#.#.#.#:<port>",

        "systemDiscoveryRequired": true

    }

}

Note: The serviceEndpoint is the IP address of TCA-M (where service is deployed) and port of the service.

Note: The port is the Node port of the service which can be obtained by running following command:

kubectl get svc -n <namespace>

• systemDiscoveryRequired is a boolean flag to collect cluster details.

  • Setting this flag to true will cause workflow to collect the details of all clusters in the system.

  • This is an optional field and the default value is true.

  • When executing the workflow for the first time, either don't provide this field or set this field to true so that cluster data can be collected successfully.

  • For the next execution, if no additional clusters were added, users can set the value of this field to false. 

Example output:
{
    "output": {
        "uploadedReportDetails": {
            "message": "Certificate analysis report can be accessed at https://#.#.#.#/support-bundle/20250625_045404_cluster-certificate-report/index.html"
        }
    }
}

What is the size of reports which are moved to the airgap server?

• The size of the TCA infrastructure certificate report is ~150KB. 

• The size of the cluster certificate report with 104 clusters spread across 5 TCA-CPs is ~320KB.

What are the actions needed if a new TCA-CP is added or an existing one is removed?

• In case of addition/removal of TCA-CP, re-run step 3 mentioned above after updating TCA-CP details in secrets.json.

• After that, workflow to analyze TCA infrastructure certificates can be executed without any change.

• Workflow to analyze cluster certificates needs to be run once with the systemDiscoveryRequired flag set to true.

What are the actions needed if new clusters are created or existing clusters are deleted?

• If new clusters are added, the monitor operator on these clusters will require patching.

• For detailed instructions on this process, refer to the Apply monitor operator patch document. 

• Upon the addition or deletion of clusters, the cluster analysis workflow must first be executed with the systemDiscoveryRequired flag set to true.

• This action facilitates the discovery of any newly added clusters.

• Subsequent executions of the cluster analysis workflow can then proceed with the systemDiscoveryRequired flag set to false.

Is there any action required if node pools are added/ deleted in a cluster?

• No action is required in this scenario.

Can the workflow to discover clusters be run independently?

• Yes, it can be run independently.

• Execute workflow with id: analyze-tca and version: 1.0.0 with input like below:

  {

   "input": {

       "serviceEndpoint": "#.#.#.#:<port>."

   }

}

What will happen when TCA-CP or cluster is down? Will analysis reports be generated or will workflow fail ?

• In case TCA-CP or cluster is down/unreachable, analysis workflow will proceed successfully and reports will still be generated. Any error message will be included in the cluster report.