You need to register Airgap Server with trusted root certificate in Partner System, if the root certificate is private. When the root certificate expires (the usual expiration timeline is of 10 years), some features of the cluster associating with the airgap collapse as those require pulling images or packages from the airgap server. This guide provides scripts to update the existing cluster with airgap-trusted root certificate to recover those features.

The following procedures detail the necessary steps to renew certificates on TCA-M and TCA-CP appliance.

Prerequisites

Airgap server is updated with airgap-trusted root CA certificate.

Procedure

  1. Update TCA-DB in TCA Manager Appliance
    1. Download the renewed airgap cert tarball here. Upload it to TCA-M appliance, and unpackage the tarball under root user.
      # scp update-ca-v3.1.tar.gz admin@<tca-m-ip>:~
      # ssh admin@<tca-m-ip>
      [admin@tca-m ~]$ su
      Password:
      [root@tca-m /home/admin] ls
      update-ca-v3.1.tar.gz
      [root@tca-m /home/admin] tar vxfz update-ca-v3.1.tar.gz
    2. Run update-ca.py update-cert-db command to update airgap certificate in TCA-M database.
      # python update_ca.py update-cert-db --fqdn FQDN --cafile CAFILE
      Following output is an example:
      root@tca-m [ /home/admin/update-ca ]# python update_ca.py update-cert-db --fqdn airgap.example.com --cafile ca.cert
      update_ca[INFO]: airgap repo: airgap.example.com is valid
      update_ca[INFO]: ########## Quering airgap.example.com's id,val in Postgres ##########
      update_ca[INFO]: ########## Updating airgap.example.com's val by id in Postgres ##########
      update_ca[INFO]: the interfaceInfo is {'fqdn': 'airgap.example.com', 'caCert': 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUYvakNDQSthZ0F3SUJBZ0lVYWRURUg4TytDQXdGYTFsaitQWWFFL2tNTFVjd0RRWUpLb1pJaHZjTkFRRU4KQlFBd1p6RUxNQWtHQTFVRUJoTUNWVk14RGpBTUJnTlZCQWdNQlhOMFlYUmxNUkV3RHdZRFZRUUhEQWhzYjJOaApkR2x2YmpFVk1CTUdBMVVFQ2d3TWIzSm5ZVzVwZW1GMGFXOXVNUkV3RHdZRFZRUUxEQWh6YjJaMGQyRnlaVEVMCk1Ba0dBMVVFQXd3Q1EwNHdIaGNOTWpRd01qSTVNRGt3T0RRM1doY05NelF3TWpJMk1Ea3dPRFEzV2pCM01Rc3cKQ1FZRFZRUUdFd0pWVXpFT01Bd0dBMVVFQ0F3RmMzUmhkR1V4RVRBUEJnTlZCQWNNQ0d4dlkyRjBhVzl1TVJVdwpFd1lEVlFRS0RBeHZjbWRoYm1sNllYUnBiMjR4RVRBUEJnTlZCQXNNQ0hOdlpuUjNZWEpsTVJzd0dRWURWUVFECkRCSmhhWEpuWVhBdVpYaGhiWEJzWlM1amIyMHdnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQzZRV0ZHMXZocXJ5cG9hekdieGJRd1NIcjNkQ2JZSW9BTUoxdFJNTkw4L3YrVGozZ040Y2lYc044TwozYmRoV2tHTndBZXBucWZUSmZTN2g1Uy9Wa09yVU13VVdYbkd6eTVlYmJxbUVSQkpGOGRmb3NaQ09wOGZudmhOClJiS0xNb1RhTzRhN0MwQTRxc2g0ZlJDNHgyT25pM2VjeWRIUlNXN0ZoQytpdmxGM281MGVUTXZIbk5TbC9yaFAKSmpSdExaa3hXOVNQaGFlYjFXRUc1WGtkdXRVc2ZKelBCbUFwVzM4NXBkeGo5L1Y5ZytNR2N1dzE2UVVSaGVCZgpaa1J3Q1pBQkdiUTlLUDhrMm1tUXJwMEdXeElOeFdhb25SaE9idzc1QW1JeE8wMzlCVFgrdFZyTTBuSlcwblRiCmVURzc5OGFzZUd2bEFqM0lDZ0loak1WaXdIVkJjZFdLdHVUem1CeFhuNDdQQkcxc1pyY055TnpxN0hNM0UwYWcKdklKM1ZjYVBwdm1xelA4eXNvaUY2S0xGT0s0V0JzbVhwQUY1WXlqOXF5YWY3eDZDOXMvYkNvYzdLdEtwU0J2VQo0N0Jsejc3ME44ekxXZ3NSaGV4L203Z0QzTzk2blJ0ejhaUFNaOUU1VlVMUmRWSi8zOU9XcWJRcnBpN2taLzhQCmRwS0RONTF2dVhSeUN6SGxFRUg5NnpEeE51ellzTjlQL1BSVjR5QnJqN1h5UEh5bEM5amx6aGNYOERIZFZMb0EKbjV5VmQ4dnBjWEpOSnJnY3NWQXlMcVJyQkovTmdWRU5WZVFFeTg2NUZTS3ZvS3RZcjdwNE1yUFY4WmI1MVBqMQphczlxLzJkdytBYit6QTBMdUFEMGdaWi9aQTVvWlRuWWJDb2NKN3d0WmlrNExoYVl4d0lEQVFBQm80R1JNSUdPCk1COEdBMVVkSXdRWU1CYUFGTW40SmdqRnh1ZkFHZzh5Nkx6V0ZaMmxOVDFOTUFrR0ExVWRFd1FDTUFBd0N3WUQKVlIwUEJBUURBZ1R3TUJNR0ExVWRKUVFNTUFvR0NDc0dBUVVGQndNQk1COEdBMVVkRVFRWU1CYUNGSFJsYzNRdApZMlZ5ZEM1MmJYZGhjbVV1WTI5dE1CMEdBMVVkRGdRV0JCVDMxUG0xMHR0TmRMRTNHd21PNW1iMWpNU21IREFOCkJna3Foa2lHOXcwQkFRMEZBQU9DQWdFQXBGbTFJNTVobDYvWlQzcUl4SzhmaUx0WklyZFdkUFR6WWJ3TFFYYmUKMEJJSTlEcTd3eDc3ZXlaRHlsMXJFU1g1ZXRpMUNQRERKZFF0MHQwb3d2aTY2UUhCT21xUEkrOXBKU1EvSU1xNgp4a0FiRy9vdVZvTU9QUnR2QldBdUtXVTA2MUtPRXFRVVlnaFJVOGNGUEdRcE5xQ09nY1NwV1FYSkhqcHdiVlNPCkJDR25LNC84RWlqSklvcFdsSXVqNW1lUGZ2QmE3dmh6OUY1WmZpOXZBYUQvT3lHWENLdkN6Y1JSdEpyRHV5TWYKRkNmR0N0d1VwV1h1dDYwVnppUzRCeWs5OXp3RjBXNGJvcEd5UVNFQTI4dnlSaUFkbDNjWGFPOE9DdzVmSlljdwpJYmJ1WFVyN1U3Q3pEbVo1aXFkeVRSMWc4a0U3UzZNV1VuSjRNV2h3RGxRUGNYbE9XTFBSNGZySzNFN2gyWS9xCkhJb21UeWttRlUyQXpjQUdKWUNCTGxOWmtzSGZpU2FLYk9rQUtBOFR3S1dVd0l2aEZuYmN6VEVkVTM2VGZHTHUKUis2Zk1RMnRac1pBVUlMUlowUGdueC82ZVZWUjE2bnRjSm5FK04yVDZYcjZ1RWkrV3UvMW9pSHNxNy9ocWVDKwpkZ1dnTENPdHVISzVycHJqOXJpbzZCWFNHMTFBQXdGdmRKdzUwZVl4ak84eWdhQWhBR0JsRk5jWTcwTDE0OWx0Cm9XM1c4RnRaQVQ2MkppTzdqcHRjaDI5QkVBSXI0NEVhSXhHZXpqYTc0TkpCWE5rcGdJY2tkOThya211cUNQUkEKVnNwREUyR2plRk9UR0J0aHdYcS9nd1hXSXErWVM1alNNMXRrL1NkZWZTZnlFenRsK3VyVmNsY0ZWV2JyMUxTWQpJeDg9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K'}
      update_ca[INFO]: Successfully update cert db
    3. Check airgap certificate in UI.
  2. Update Airgap Certificate for Management Cluster
    1. Download renewed airgap cert tarball here. Upload it to TCA-CP appliance, and unpackage the tarball under root user.
      # scp update-ca-v3.1.tar.gz admin@<tca-cp-ip>:~
      # ssh admin@<tca-cp-ip>
      [admin@tca-cp ~]$ su
      Password:
      [root@tcacp /home/admin] ls
      update-ca-v3.1.tar.gz
      [root@tcacp /home/admin] tar vxfz update-ca-v3.1.tar.gz
    2. Run update-ca.py update-mgmtcluster command to update airgap-trusted root certificate of the specified management cluster.
      # python update_ca.py update-mgmtcluster --cafile CAFILE --name NAME
      Following output is an example:
      root@tcacp-prime [ /home/admin/update-ca ]# python update_ca.py update-mgmtcluster --cafile ca.cert --name mc
      update_ca[INFO]: Successfully get TkgContext
      update_ca[INFO]: airgap repo: airgap.example.com is valid
      update_ca[INFO]: Updated tkgcontext 34346d99-8f9f-41fb-b1b8-4359c6936f7e with response <Response [200]>
      update_ca[INFO]: Updated Managementcluster bc908440-d10c-4d6e-b1f4-cde771547785 with response <Response [200]>
      update_ca[INFO]: Updated management cluster <mc>
    3. Run update-ca.py show-state-mgmtcluster command to show status of airgap certificate relevant to management cluster that is being renewed.
      # python update_ca.py show-state-mgmtcluster --name NAME
      Following output is an example:
      root@tcacp-prime [ /home/admin/update-ca ]# python update_ca.py show-state-mgmtcluster --name mc
      update_ca[INFO]: Successfully get Managementcluster status
      update_ca[INFO]: the management cluster <mc> status is Updating
      root@tcacp-prime [ /home/admin/update-ca ]# python update_ca.py show-state-mgmtcluster --name mc
      update_ca[INFO]: Successfully get Managementcluster status
      update_ca[INFO]: the management cluster <mc> status is Running
      Note:
      • If Kubernetes version of management cluster is v1.28.4, run the command to update Airgap certificate of management cluster. It will trigger node rolling-update of control plane and node pool.
      • If Kubernetes version of management cluster is v1.24.10, run the command to update Airgap certificate of management cluster. It will not renew Airgap Certificate stored in the management cluster, but is required for management cluster deletion.
      • After running the command for v1.24.10 management cluster, follow the Update Airgap Certificate for Workload Cluster section below and Workload Cluster Movement to know more about moving workload cluster to the v1.24.10 management cluster. Once moved, you can delete the old management cluster.
  3. Update Airgap Certificate for Workload Cluster
    1. Download renewed airgap cert tarball here. Upload it to TCA-CP appliance, and unpackage the tarball under root user.
      # scp update-ca-v3.1.tar.gz admin@<tca-cp-ip>:~
      # ssh admin@<tca-cp-ip>
      [admin@tca-cp ~]$ su
      Password:
      [root@tcacp /home/admin] ls
      update-ca-v3.1.tar.gz
      [root@tcacp /home/admin] tar vxfz update-ca-v3.1.tar.gz
    2. Run update-ca.py update-workloadcluster command to update airgap-trusted root certificate of the specified workload cluster.
      # python update_ca.py update-workloadcluster --mc MC --name NAME
      Following output is an example:
      root@tcacp-prime [ /home/admin/update-ca ]# python update_ca.py update-workloadcluster --mc mc --name wc
      update_ca[INFO]: Successfully get TkgContext
      update_ca[INFO]: Successfully get Managementcluster Kubeconfig
      update_ca[INFO]: workload cluster <wc> exists
      Warning: resource tcakubernetesclusters/wc is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
      update_ca[INFO]: Updated workload cluster <wc>
    3. Run update-ca.py show-state-workloadcluster command to show status of the airgap certificate relevant to workload cluster that is being renewed.
      # python update_ca.py show-state-workloadcluster --mc MC --name NAME
      Following output is an example:
      # For classystandard workload cluster.
       
      root@tcacp-prime [ /home/admin/update-ca ]# python update_ca.py show-state-workloadcluster --mc mc --name wc
      update_ca[INFO]: Successfully get Managementcluster Kubeconfig
      update_ca[INFO]: workload cluster <wc> exists
      update_ca[INFO]: the TcaKubernetesCluster status is Provisioned
      update_ca[INFO]: the TcaKubeControlPlane status is Provisioned
      update_ca[INFO]: the TcaNodePool status is Provisioned
      update_ca[INFO]: the workloadcluster status is Provisioned
      update_ca[INFO]: the script will check the legacy workloadcluster nodeprofilestatus
      update_ca[WARNING]: the workloadcluster <wc> isn't the legacy workloadcluster, so can't get its nodeprofilestatus  
       
       
      #For legacy workload cluster
       
      root@tcacp-prime [ /home/admin/update-ca ]# python update_ca.py show-state-workloadcluster --mc mc --name legacy-wc
      update_ca[INFO]: Successfully get Managementcluster Kubeconfig
      update_ca[INFO]: workload cluster <legacy-wc> exists
      update_ca[INFO]: the TcaKubernetesCluster status is Provisioned
      update_ca[INFO]: the TcaKubeControlPlane status is Provisioned
      update_ca[INFO]: the TcaNodePool status is Provisioned
      update_ca[INFO]: the workloadcluster status is Provisioned
      update_ca[INFO]: the script will check the legacy workloadcluster nodeprofilestatus
      update_ca[INFO]: the legacy workloadcluster <legacy-wc> nodeprofile status is Normal
      Note:
      • Control plane node of workload cluster will be rolling-updated to update Airgap certificate.
      • For Classy Standard Cluster type of workload cluster, node pool node will be rolling-updated to update Airgap certificate.
      Table 1. Support Matrix: Management Cluster
      Kubernetes Version Support (Yes/No)
      v1.28.4 Yes
      v1.24.10 No
      Table 2. Support Matrix: Workload Cluster
      Cluster Type Support (Yes/No)
      Standard Cluster Yes
      Classy Standard Cluster Yes
      Single Node Cluster No