Update Airgap trusted certificate for the management cluster via CLI tool.
search cancel

Update Airgap trusted certificate for the management cluster via CLI tool.

book

Article ID: 405212

calendar_today

Updated On:

Products

VMware Telco Cloud Automation

Issue/Introduction

  • The Airgap trusted certificate stored in the v1.24.10 management cluster was recently updated.
  • The kapp controller on the management cluster is not working.

Environment

3.2

Cause

TCA 3.2 does not support Airgap trusted certificate updates for the v1.24.10 management cluster.

Resolution

NOTE: Updating the Airgap trusted certificate of the management cluster will trigger a cluster node rolling-update

Task: Update TCA-DB in TCA Manager Appliance

  1. Download the update Airgap trusted certificate tarball from update-ca-v3.3.tar.gz 
  2. Upload it to the TCA-M appliance /home/admin directory utilizing  SCP or an alternative method
  3. Unpack the tarball as the root user
    [root@tca-m /home/admin]# tar vxfz update-ca-v3.3.tar.gz
  4. Run update-ca.py update-cert-db command to update Airgap trusted certificate in TCA-M database.
    # python update_ca.py update-cert-db --fqdn <airgap server fqdn> --cafile <ca certificate file>
    NOTE : The FQDN is case sensitive. Please fetch the FQDN from the Partner Systems UI. 

    Following output is an example:
    [root@tca-m /home/admin/update-ca ]# python update_ca.py update-cert-db --fqdn <airgap server fqdn> --cafile <ca certificate file>
update_ca[INFO]: airgap repo: <airgap server fqdn> is valid
update_ca[INFO]: ########## Quering <airgap server fqdn>'s id,val in Postgres ##########
update_ca[INFO]: ########## Updating <airgap server fqdn>'s val by id in Postgres ##########
update_ca[INFO]: the interfaceInfo is {'fqdn': <airgap server fqdn>', 'caCert':'<Certificate Hash>'}
update_ca[INFO]: Successfully update cert db
  5. Check Airgap trusted certificate in TCA-M Infrastructure > Partner Systems UI.

Task: Update Airgap Certificate for Management Cluster

  1. Download the update Airgap trusted certificate tarball from update-ca-v3.3.tar.gz
  2. Upload it to the TCA-CP appliance /home/admin directory utilizing  SCP or an alternative method
  3. Unpack the tarball as the root user
    [root@tca-cp /home/admin]# tar vxfz update-ca-v3.3.tar.gz

     

  4. Run the `update-ca.py update-mgmtcluster` command to update the Airgap trusted certificate of the specified management cluster
    # python update_ca.py update-mgmtcluster --cafile <ca certificate file> --name <management cluster name>

    Following output is an example:

    [root@tca-cp /home/admin/update-ca/v3.3 ]# python update_ca.py update-mgmtcluster --cafile <ca certificate file> --name <management cluster name>
client[INFO]: Successfully get TkgContext
update_ca[INFO]: airgap repo: <airgap server fqdn> is valid
client[INFO]: Updated tkgcontext ########-####-####-####-############ with response 
client[INFO]: Successfully get management cluster Kubeconfig
client[INFO]: update cluster kapp-controller-config successfully
client[INFO]: update secret [tkg-pkg-tkg-system-values] in namespace [tkg-system] successfully
client[INFO]: update secret [tkr-source-controller-values] in namespace [tkg-system] successfully
client[INFO]: update secret [tkr-vsphere-resolver-values] in namespace [tkg-system] successfully
client[INFO]: update management cluster tkr-controller-config successfully
client[INFO]: update clusterclass mgmt cluster [<management cluster name>] in namespace tkg-system successfully
update_ca[INFO]: Updated management cluster

  5. Run the `update-ca.py show-state-mgmtcluster` command to display the status of updating the Airgap trusted certificate of the specified management cluster

    # python update_ca.py show-state-mgmtcluster --name <management cluster name>

    Following output is an example:

    [root@tca-cp /home/admin/update-ca/v3.3 ]# python update_ca.py show-state-mgmtcluster --name <management cluster name>
client[INFO]: Successfully get TkgContext
update_ca[INFO]: airgap repo: <airgap server fqdn> is valid
client[INFO]: Successfully get management cluster Kubeconfig
client[INFO]: nodeConfig [update-airgap-certs] is updated successuflly
client[INFO]: configmap kapp-controller-config/tkg-system: up to date
client[INFO]: secret tkg-pkg-tkg-system-values/tkg-system: up to date
client[INFO]: secret [tkr-source-controller-values] in namespace [tkg-system]: up to date
client[INFO]: caCerts doesn't exist in secret [tkr-vsphere-resolver-values] in namespace [tkg-system]
client[INFO]: configmap tkr-controller-config: up to date
client[INFO]: cluster [<management cluster name>] in namespace tkg-system: up to date
client[INFO]: cluster nodes: up to date
Powered by Wolken Software