RSS
 

Spring Cloud Gateway for VMware Tanzu generates a set of TLS certificates upon deployment. These are required to secure its MySQL database. These certificates must be regenerated (rotated) when they reach their expiry date. Here are instructions to help you rotate the TLS certificates.

Spring Cloud Gateway v1.0.12 and above

Spring Cloud Gateway v1.0.12 and above uses the Ops Manager Services TLS CA to sign its leaf certificates. This removes the need to rotate a dedicated Spring Cloud Gateway CA certificate. Instead, Spring Cloud Gateway certificates can be regenerated as part of the unified procedure to rotate the CA for all service tiles.

To rotate the Services TLS CA certificate and regenerate the Spring Cloud Gateway leaf certificates, follow the documented procedure. If your Ops Manager environment meets the requirements, we advise following the documented recommendation to use CredHub Maestro to simplify the process.

Spring Cloud Gateway v1.0.11 and below

Spring Cloud Gateway v1.0.11 and below uses a dedicated CA certificate, which will not be rotated as part of the Services TLS CA rotation. Instead it requires a custom rotation procedure.

Preparing to rotate certificates

Note: The following procedure uses the jq command-line JSON processing tool.

To rotate the certificates, you must first authenticate with the BOSH Director VM.

Once authenticated, locate the Spring Cloud Gateway BOSH deployment:

$ bosh deployments

The Spring Cloud Gateway deployment is named p_spring-cloud-gateway-service-[UNIQUE-ID].

Next, you will need to target and log in to the BOSH CredHub API Server

Using the deployment name you located with BOSH, use the CredHub CLI to list the deployment's Certificate Authority (CA) certificates:

$ credhub curl -p "/api/v1/certificates" -X GET | jq '.certificates[]
| select((.name | contains("p_spring-cloud-gateway-service-b97ed088d2495d6813a9")) and
.versions[0].certificate_authority == true) | .name'

"/p-bosh/p_spring-cloud-gateway-service-b97ed088d2495d6813a9/pxc_server_ca"
"/p-bosh/p_spring-cloud-gateway-service-b97ed088d2495d6813a9/pxc_galera_ca"

For Ops Manager version 2.9 and above

If you are using Ops Manager version 2.9 or above, the recommended approach to rotate the Spring Cloud Gateway certificates is to use CredHub Maestro.

In order to perform a certificate rotation, you must first set up CredHub Maestro.

Next, follow the procedure for rotating a single CA certificate for each of the Spring Cloud Gateway deployment's CA certificates.

For Ops Manager version 2.8 and below

If you are using Ops Manager version 2.8 or below, use the following procedure to manually rotate the Spring Cloud Gateway certificates stored in the Tanzu Application Service for VMs (TAS for VMs) runtime CredHub.

First, list the deployment's leaf certificates, which are signed by the CA certificates:

$ credhub curl -p "/api/v1/certificates" -X GET | jq '.certificates[] |
	select((.name | contains("p_spring-cloud-gateway-service-b97ed088d2495d6813a9")) and
	.versions[0].certificate_authority == false) | .name'

"/p-bosh/p_spring-cloud-gateway-service-b97ed088d2495d6813a9/pxc_mysql_server_certificate"
"/p-bosh/p_spring-cloud-gateway-service-b97ed088d2495d6813a9/pxc_galera_server_certificate"

After rotating a CA certificate, you must regenerate the leaf certificates signed by that CA certificate.

  1. Look up the CA certificate:

    $ credhub curl -p "/api/v1/certificates?name=/p-bosh/p_spring-cloud-gateway-service-b97ed088d2495d6813a9/pxc_server_ca"

    You should see only one entry in the versions list. Copy the id of this version.

  2. Using the id copied in the previous step, generate a new transitional certificate version:

    $ credhub curl -p "/api/v1/certificates/be51e4a2-6b4a-47ea-a5e8-58034b0742ba/regenerate" -d '{"set_as_transitional": true}' -X POST

    Visit the Ops Manager Installation Dashboard and apply your changes.

  3. Look up the CA certificate again:

    $ credhub curl -p "/api/v1/certificates?name=/p-bosh/p_spring-cloud-gateway-service-b97ed088d2495d6813a9/pxc_server_ca"

    The new certificate version currently has "transitional": true, and the old version has "transitional": false. Copy the id of the old version and use it to update the CA certificate, making the old version transitional:

    $ credhub curl -p /api/v1/certificates/be51e4a2-6b4a-47ea-a5e8-58034b0742ba/update_transitional_version -d '{"version": "834a4d40-d925-49f1-aced-a4362819d173"}' -X PUT

  4. Regenerate the leaf certificates that are signed by this CA certificate:

    $ credhub regenerate -n /p-bosh/p_spring-cloud-gateway-service-b97ed088d2495d6813a9/pxc_mysql_server_certificate

    Return to the Ops Manager Installation Dashboard and apply your changes.

  5. Remove the transitional flag from the old version of the CA certificate:

    $ credhub curl -p /api/v1/certificates/be51e4a2-6b4a-47ea-a5e8-58034b0742ba/update_transitional_version -d '{"version": null}' -X PUT

    Return to the Ops Manager Installation Dashboard and apply your changes.

check-circle-line exclamation-circle-line close-line
Scroll to top icon