You need to register Airgap Server with trusted root certificate in Partner System, if the root certificate is private. When the root certificate expires (the usual expiration timeline is of 10 years), some features of the cluster associating with the airgap collapse as those require pulling images or packages from the airgap server. This section provides scripts to update the existing cluster with airgap-trusted root certificate to recover those features.
Prerequisites
Airgap server is updated with airgap-trusted root CA certificate.
Procedure
- Update TCA-DB in TCA Manager Appliance
- Download the renewed airgap cert tarball here. Upload it to TCA-M appliance, and unpackage the tarball under root user.
# scp update-ca-v3.1.tar.gz admin@<tca-m-ip>:~ # ssh admin@<tca-m-ip> [admin@tca-m ~]$ su Password: [root@tca-m /home/admin] ls update-ca-v3.1.tar.gz [root@tca-m /home/admin] tar vxfz update-ca-v3.1.tar.gz
- Run update-ca.py update-cert-db command to update airgap certificate in TCA-M database.
# python update_ca.py update-cert-db --fqdn FQDN --cafile CAFILE
Following output is an example:root@tca-m [ /home/admin/update-ca ]# python update_ca.py update-cert-db --fqdn airgap.example.com --cafile ca.cert update_ca[INFO]: airgap repo: airgap.example.com is valid update_ca[INFO]: ########## Quering airgap.example.com's id,val in Postgres ########## update_ca[INFO]: ########## Updating airgap.example.com's val by id in Postgres ########## update_ca[INFO]: the interfaceInfo is {'fqdn': 'airgap.example.com', 'caCert': 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUYvakNDQSthZ0F3SUJBZ0lVYWRURUg4TytDQXdGYTFsaitQWWFFL2tNTFVjd0RRWUpLb1pJaHZjTkFRRU4KQlFBd1p6RUxNQWtHQTFVRUJoTUNWVk14RGpBTUJnTlZCQWdNQlhOMFlYUmxNUkV3RHdZRFZRUUhEQWhzYjJOaApkR2x2YmpFVk1CTUdBMVVFQ2d3TWIzSm5ZVzVwZW1GMGFXOXVNUkV3RHdZRFZRUUxEQWh6YjJaMGQyRnlaVEVMCk1Ba0dBMVVFQXd3Q1EwNHdIaGNOTWpRd01qSTVNRGt3T0RRM1doY05NelF3TWpJMk1Ea3dPRFEzV2pCM01Rc3cKQ1FZRFZRUUdFd0pWVXpFT01Bd0dBMVVFQ0F3RmMzUmhkR1V4RVRBUEJnTlZCQWNNQ0d4dlkyRjBhVzl1TVJVdwpFd1lEVlFRS0RBeHZjbWRoYm1sNllYUnBiMjR4RVRBUEJnTlZCQXNNQ0hOdlpuUjNZWEpsTVJzd0dRWURWUVFECkRCSmhhWEpuWVhBdVpYaGhiWEJzWlM1amIyMHdnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQzZRV0ZHMXZocXJ5cG9hekdieGJRd1NIcjNkQ2JZSW9BTUoxdFJNTkw4L3YrVGozZ040Y2lYc044TwozYmRoV2tHTndBZXBucWZUSmZTN2g1Uy9Wa09yVU13VVdYbkd6eTVlYmJxbUVSQkpGOGRmb3NaQ09wOGZudmhOClJiS0xNb1RhTzRhN0MwQTRxc2g0ZlJDNHgyT25pM2VjeWRIUlNXN0ZoQytpdmxGM281MGVUTXZIbk5TbC9yaFAKSmpSdExaa3hXOVNQaGFlYjFXRUc1WGtkdXRVc2ZKelBCbUFwVzM4NXBkeGo5L1Y5ZytNR2N1dzE2UVVSaGVCZgpaa1J3Q1pBQkdiUTlLUDhrMm1tUXJwMEdXeElOeFdhb25SaE9idzc1QW1JeE8wMzlCVFgrdFZyTTBuSlcwblRiCmVURzc5OGFzZUd2bEFqM0lDZ0loak1WaXdIVkJjZFdLdHVUem1CeFhuNDdQQkcxc1pyY055TnpxN0hNM0UwYWcKdklKM1ZjYVBwdm1xelA4eXNvaUY2S0xGT0s0V0JzbVhwQUY1WXlqOXF5YWY3eDZDOXMvYkNvYzdLdEtwU0J2VQo0N0Jsejc3ME44ekxXZ3NSaGV4L203Z0QzTzk2blJ0ejhaUFNaOUU1VlVMUmRWSi8zOU9XcWJRcnBpN2taLzhQCmRwS0RONTF2dVhSeUN6SGxFRUg5NnpEeE51ellzTjlQL1BSVjR5QnJqN1h5UEh5bEM5amx6aGNYOERIZFZMb0EKbjV5VmQ4dnBjWEpOSnJnY3NWQXlMcVJyQkovTmdWRU5WZVFFeTg2NUZTS3ZvS3RZcjdwNE1yUFY4WmI1MVBqMQphczlxLzJkdytBYit6QTBMdUFEMGdaWi9aQTVvWlRuWWJDb2NKN3d0WmlrNExoYVl4d0lEQVFBQm80R1JNSUdPCk1COEdBMVVkSXdRWU1CYUFGTW40SmdqRnh1ZkFHZzh5Nkx6V0ZaMmxOVDFOTUFrR0ExVWRFd1FDTUFBd0N3WUQKVlIwUEJBUURBZ1R3TUJNR0ExVWRKUVFNTUFvR0NDc0dBUVVGQndNQk1COEdBMVVkRVFRWU1CYUNGSFJsYzNRdApZMlZ5ZEM1MmJYZGhjbVV1WTI5dE1CMEdBMVVkRGdRV0JCVDMxUG0xMHR0TmRMRTNHd21PNW1iMWpNU21IREFOCkJna3Foa2lHOXcwQkFRMEZBQU9DQWdFQXBGbTFJNTVobDYvWlQzcUl4SzhmaUx0WklyZFdkUFR6WWJ3TFFYYmUKMEJJSTlEcTd3eDc3ZXlaRHlsMXJFU1g1ZXRpMUNQRERKZFF0MHQwb3d2aTY2UUhCT21xUEkrOXBKU1EvSU1xNgp4a0FiRy9vdVZvTU9QUnR2QldBdUtXVTA2MUtPRXFRVVlnaFJVOGNGUEdRcE5xQ09nY1NwV1FYSkhqcHdiVlNPCkJDR25LNC84RWlqSklvcFdsSXVqNW1lUGZ2QmE3dmh6OUY1WmZpOXZBYUQvT3lHWENLdkN6Y1JSdEpyRHV5TWYKRkNmR0N0d1VwV1h1dDYwVnppUzRCeWs5OXp3RjBXNGJvcEd5UVNFQTI4dnlSaUFkbDNjWGFPOE9DdzVmSlljdwpJYmJ1WFVyN1U3Q3pEbVo1aXFkeVRSMWc4a0U3UzZNV1VuSjRNV2h3RGxRUGNYbE9XTFBSNGZySzNFN2gyWS9xCkhJb21UeWttRlUyQXpjQUdKWUNCTGxOWmtzSGZpU2FLYk9rQUtBOFR3S1dVd0l2aEZuYmN6VEVkVTM2VGZHTHUKUis2Zk1RMnRac1pBVUlMUlowUGdueC82ZVZWUjE2bnRjSm5FK04yVDZYcjZ1RWkrV3UvMW9pSHNxNy9ocWVDKwpkZ1dnTENPdHVISzVycHJqOXJpbzZCWFNHMTFBQXdGdmRKdzUwZVl4ak84eWdhQWhBR0JsRk5jWTcwTDE0OWx0Cm9XM1c4RnRaQVQ2MkppTzdqcHRjaDI5QkVBSXI0NEVhSXhHZXpqYTc0TkpCWE5rcGdJY2tkOThya211cUNQUkEKVnNwREUyR2plRk9UR0J0aHdYcS9nd1hXSXErWVM1alNNMXRrL1NkZWZTZnlFenRsK3VyVmNsY0ZWV2JyMUxTWQpJeDg9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K'} update_ca[INFO]: Successfully update cert db
- Check airgap certificate in UI.
- Download the renewed airgap cert tarball here. Upload it to TCA-M appliance, and unpackage the tarball under root user.
- Update Airgap Certificate for Management Cluster
- Download renewed airgap cert tarball here. Upload it to TCA-CP appliance, and unpackage the tarball under root user.
# scp update-ca-v3.1.tar.gz admin@<tca-cp-ip>:~ # ssh admin@<tca-cp-ip> [admin@tca-cp ~]$ su Password: [root@tcacp /home/admin] ls update-ca-v3.1.tar.gz [root@tcacp /home/admin] tar vxfz update-ca-v3.1.tar.gz
- Run update-ca.py update-mgmtcluster command to update airgap-trusted root certificate of the specified management cluster.
# python update_ca.py update-mgmtcluster --cafile CAFILE --name NAME
Following output is an example:root@tcacp-prime [ /home/admin/update-ca ]# python update_ca.py update-mgmtcluster --cafile ca.cert --name mc update_ca[INFO]: Successfully get TkgContext update_ca[INFO]: airgap repo: airgap.example.com is valid update_ca[INFO]: Updated tkgcontext 34346d99-8f9f-41fb-b1b8-4359c6936f7e with response <Response [200]> update_ca[INFO]: Updated Managementcluster bc908440-d10c-4d6e-b1f4-cde771547785 with response <Response [200]> update_ca[INFO]: Updated management cluster <mc>
- Run update-ca.py show-state-mgmtcluster command to show status of airgap certificate relevant to management cluster that is being renewed.
# python update_ca.py show-state-mgmtcluster --name NAME
Following output is an example:root@tcacp-prime [ /home/admin/update-ca ]# python update_ca.py show-state-mgmtcluster --name mc update_ca[INFO]: Successfully get Managementcluster status update_ca[INFO]: the management cluster <mc> status is Updating root@tcacp-prime [ /home/admin/update-ca ]# python update_ca.py show-state-mgmtcluster --name mc update_ca[INFO]: Successfully get Managementcluster status update_ca[INFO]: the management cluster <mc> status is Running
Note:- If Kubernetes version of management cluster is v1.28.4 or higher, run the command to update Airgap certificate of management cluster. It will trigger node rolling-update of control plane and node pool.
- If Kubernetes version of management cluster is v1.24.10, run the command to update Airgap certificate of management cluster. It will not renew Airgap Certificate stored in the management cluster, but is required for management cluster deletion.
- After running the command for v1.24.10 management cluster, follow the Update Airgap Certificate for Workload Cluster section below and Workload Cluster Movement to know more about moving workload cluster to the v1.24.10 management cluster. Once moved, you can delete the old management cluster.
- Download renewed airgap cert tarball here. Upload it to TCA-CP appliance, and unpackage the tarball under root user.
- Update Airgap Certificate for Workload Cluster
- Download renewed airgap cert tarball here. Upload it to TCA-CP appliance, and unpackage the tarball under root user.
# scp update-ca-v3.1.tar.gz admin@<tca-cp-ip>:~ # ssh admin@<tca-cp-ip> [admin@tca-cp ~]$ su Password: [root@tcacp /home/admin] ls update-ca-v3.1.tar.gz [root@tcacp /home/admin] tar vxfz update-ca-v3.1.tar.gz
- Run update-ca.py update-workloadcluster command to update airgap-trusted root certificate of the specified workload cluster.
# python update_ca.py update-workloadcluster --mc MC --name NAME
Following output is an example:root@tcacp-prime [ /home/admin/update-ca ]# python update_ca.py update-workloadcluster --mc mc --name wc update_ca[INFO]: Successfully get TkgContext update_ca[INFO]: Successfully get Managementcluster Kubeconfig update_ca[INFO]: workload cluster <wc> exists Warning: resource tcakubernetesclusters/wc is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically. update_ca[INFO]: Updated workload cluster <wc>
- Run update-ca.py show-state-workloadcluster command to show status of the airgap certificate relevant to workload cluster that is being renewed.
# python update_ca.py show-state-workloadcluster --mc MC --name NAME
Following output is an example:# For classystandard workload cluster. root@tcacp-prime [ /home/admin/update-ca ]# python update_ca.py show-state-workloadcluster --mc mc --name wc update_ca[INFO]: Successfully get Managementcluster Kubeconfig update_ca[INFO]: workload cluster <wc> exists update_ca[INFO]: the TcaKubernetesCluster status is Provisioned update_ca[INFO]: the TcaKubeControlPlane status is Provisioned update_ca[INFO]: the TcaNodePool status is Provisioned update_ca[INFO]: the workloadcluster status is Provisioned update_ca[INFO]: the script will check the legacy workloadcluster nodeprofilestatus update_ca[WARNING]: the workloadcluster <wc> isn't the legacy workloadcluster, so can't get its nodeprofilestatus #For legacy workload cluster root@tcacp-prime [ /home/admin/update-ca ]# python update_ca.py show-state-workloadcluster --mc mc --name legacy-wc update_ca[INFO]: Successfully get Managementcluster Kubeconfig update_ca[INFO]: workload cluster <legacy-wc> exists update_ca[INFO]: the TcaKubernetesCluster status is Provisioned update_ca[INFO]: the TcaKubeControlPlane status is Provisioned update_ca[INFO]: the TcaNodePool status is Provisioned update_ca[INFO]: the workloadcluster status is Provisioned update_ca[INFO]: the script will check the legacy workloadcluster nodeprofilestatus update_ca[INFO]: the legacy workloadcluster <legacy-wc> nodeprofile status is Normal
Note:- Control plane node of workload cluster will be rolling-updated to update Airgap certificate.
- For Classy Standard Cluster type of workload cluster, node pool node will be rolling-updated to update Airgap certificate.
Table 1. Support Matrix: Management Cluster Kubernetes Version Support (Yes/No) v1.28.7 Yes v1.24.10 No Table 2. Support Matrix: Workload Cluster Cluster Type Support (Yes/No) Standard Cluster Yes Classy Standard Cluster Yes Single Node Cluster No
- Download renewed airgap cert tarball here. Upload it to TCA-CP appliance, and unpackage the tarball under root user.