Kubernetes Root CA Certificate Update for Distributed Cloud Orchestration

Warning

During the Kubernetes Root CA update, deployments, daemonsets, and statefulsets present in the cluster are rolling restarted. This impacts services provided by the application. It is highly recommended to schedule a Kubernetes Root CA update during planned maintenance windows.

You can use the dcmanager command to orchestrate the update of the Kubernetes Root CA certificate(s) for one or more subclouds in a Distributed Cloud Environment.

The Kubernetes Root CA update Distributed Cloud Orchestration commands for DCManager uses the keyword kube-rootca-update-strategy and provides the same five subcommands as the other orchestrations: create, delete, apply, abort, and show commands.

Note

The DCmanager kube-rootca-update-strategy abort command completes the current updating stage before aborting, to prevent hosts from being left in a state requiring manual intervention.

DCManager Kubernetes Root CA update orchestration considers a subcloud to be ‘out of sync’ that needs to be orchestrated based on the kube-rootca_sync_status field. This is updated based on the presence of alarms in the subcloud related to the Kubernetes Root CA certificate expiring soon (or expired) status.

  • Use the dcmanager subcloud show subcloud1 command to see synchronization details for a subcloud.

    ~(keystone_admin)]$ dcmanager subcloud show subcloud1
    
    +-----------------------------+----------------------------+
    | Field                       | Value                      |
    +-----------------------------+----------------------------+
    |id                           | 1                          |
    | name                        | subcloud1                  |
    | description                 | Ottawa Site                |
    | location                    | YOW                        |
    | software_version            | nn.nn                      |
    | management                  |  managed                   |
    | availability                | online                     |
    | deploy_status               | complete                   |
    | management_subnet           | 192.168.101.0/24           |
    | management_start_ip         | 192.168.101.2              |
    | management_end_ip           | 192.168.101.50             |
    | management_gateway_ip       | 192.168.101.1              |
    | systemcontroller_gateway_ip | 192.168.204.101            |
    | group_id                    | 1                          |
    | created_at                  | 2021-10-04 15:04:13.045076 |
    | updated_at                  | 2021-10-25 21:16:23.713858 |
    | dc-cert_sync_status         | in-sync                    |
    | firmware_sync_status        | in-sync                    |
    | identity_sync_status        | in-sync                    |
    | kubernetes_sync_status      | in-sync                    |
    | kube-rootca_sync_status     | in-sync                    |
    | load_sync_status            | not-available              |
    | patching_sync_status        | not-available              |
    | software_sync_status        | out-of-sync                |
    | platform_sync_status        | in-sync                    |
    +-----------------------------+----------------------------+
    
  • A user can pass help to see all the arguments for the strategy create command.

    ~(keystone_admin)]$ dcmanager help kube-rootca-update-strategy create
    usage: dcmanager kube-rootca-update-strategy create [-h]
    [-f \{json,shell,table,value,yaml}]
    [-c COLUMN]
    [--max-width <integer>]
    [--fit-width]
    [--print-empty]
    [--noindent]
    [--prefix PREFIX]
    [--subcloud-apply-type \{parallel,serial}]
    [--max-parallel-subclouds MAX_PARALLEL_SUBCLOUDS]
    [--stop-on-failure]
    [--group GROUP]
    [--subject SUBJECT]
    [--expiry-date EXPIRY_DATE]
    [--cert-file CERT_FILE]
    [cloud_name]
    
    Create a Kubernetes Root CA update strategy. This strategy supports
    expiry-date, subject and cert-file parameters.
    
    positional arguments:
    cloud_name Name of a single subcloud to update.
    
    optional arguments:
    -h, --help show this help message and exit
    --subcloud-apply-type {parallel,serial}
        Subcloud apply type (parallel or serial).
    --max-parallel-subclouds MAX_PARALLEL_SUBCLOUDS
        Maximum number of parallel subclouds.
    --stop-on-failure
        Do not update any additional subclouds after a failure.
    --group GROUP
        Name or ID of subcloud group to update.
    --subject 'C=CA ST=ON L=OTT O=WR OU=STX CN=OTHER'
        Only applicable if not specifying '--cert-file', this will be the subject for the auto-generated rootca certificate.
    --expiry-date YYYY-MM-DD
        Only applicable if not specifying '--cert-file', this will be the expiry date for the auto-generated rootca certificate; expected format is YYYY-MM-DD.
    --cert-file CERT_FILE
        Path to a certificate to upload.
    

Example

This is an example of how to orchestrate a new certificate for all subclouds, including those that are in-sync that will expire in one year.

  1. Create a Kubernetes Root CA update strategy.

    ~(keystone_admin)]$ dcmanager kube-rootca-update-strategy create --expiry-date YYYY-MM-DD
    
    +-----------------------------+----------------------------+
    | Field                       | Value                      |
    +-----------------------------+----------------------------+
    | strategy type               | kube-rootca-update         |
    | subcloud apply type         | None                       |
    | max parallel subclouds      | None                       |
    | stop on failure             | False                      |
    | state                       | initial                    |
    | created_at                  | 2021-10-26T14:35:50.675988 |
    | updated_at                  | None                       |
    +-----------------------------+----------------------------+
    
  2. Verify that the strategy will orchestrate the subcloud(s).

    ~(keystone_admin)]$ dcmanager strategy-step list
    
    +-----------+--------+---------+---------+------------+-------------+
    | cloud     | stage  | state   | details | started_at | finished_at |
    +-----------+--------+---------+---------+------------+-------------+
    | subcloud1 | 1      | initial |         | None       | None        |
    +-----------+--------+---------+---------+------------+-------------+
    
  3. Apply the strategy.

    ~(keystone_admin)]$ dcmanager kube-rootca-update-strategy apply
    
    +-----------------------------+----------------------------+
    | Field                       | Value                      |
    +-----------------------------+----------------------------+
    | strategy type               | kube-rootca-update         |
    | subcloud apply type         | None                       |
    | max parallel subclouds      | None                       |
    | stop on failure             | False                      |
    | state                       | applying                   |
    | created_at                  | 2021-10-26T14:36:30.327317 |
    | updated_at                  | 2021-10-26T14:37:36.865776 |
    +-----------------------------+----------------------------+
    
  4. You can view the status of the strategy using the following command.

    ~(keystone_admin)]$ dcmanager kube-rootca-update-strategy show
    
    +-----------------------------+----------------------------+
    | Field                       | Value                      |
    +-----------------------------+----------------------------+
    | strategy type               | kube-rootca-update         |
    | subcloud apply type         | None                       |
    | max parallel subclouds      | None                       |
    | stop on failure             | False                      |
    | state                       | applying                   |
    | created_at                  | 2021-10-26 14:36:30.327317 |
    | updated_at                  | 2021-10-26 14:37:36.865776 |
    +-----------------------------+----------------------------+
    

    It is typically more useful to monitor the progress of the strategy as it runs in the subclouds.

    In example below, the DC strategy runs the VIM strategy in the subcloud.

    ~(keystone_admin)]$ dcmanager strategy-step list
    
    +-----------+-------+------------------------------------------+----------------------------+----------------------------+-------------+
    | cloud     | stage | state                                    | details                    | started_at                 | finished_at |
    +-----------+-------+------------------------------------------+----------------------------+----------------------------+-------------+
    | subcloud1 | 2     | applying vim kube rootca update strategy | apply phase is 0% complete | 2021-10-26 14:37:46.404736 | None        |
    +-----------+-------+------------------------------------------+----------------------------+----------------------------+-------------+
    
  5. Wait for the strategy to complete. If there are failures, the show command in the previous step indicates where the failure occurred.

  6. Only one type of DCManager strategy can exist at a time. Once completed, remember to delete it.

    ~(keystone_admin)]$ dcmanager kube-rootca-update-strategy delete
    
    +-----------------------------+----------------------------+
    | Field                       | Value                      |
    +-----------------------------+----------------------------+
    | strategy type               | kube-rootca-update         |
    | subcloud apply type         | None                       |
    | max parallel subclouds      | None                       |
    | stop on failure             | False                      |
    | state                       | deleting                   |
    | created_at                  | 2021-10-26T14:27:44.856345 |
    | updated_at                  | 2021-10-26T14:30:53.557978 |
    +-----------------------------+----------------------------+