11 KiB
AWS-RDS-certificate-update--Helm-Fedramp-simulation-ENV_688983269
Tasks | Products | Steps | Duration | Downtime | |
Prepare: Certificate File Preparation | Download the new AWS RDS certificate bundle PEM file | Download the new AWS RDS certificate bundles for specific AWS region from the Certificate bundles for specific AWS Regions. For region of us-gov-west-1, download the below certificate:
| |||
Prepare: Update certificate configuration in application side | OMT | 1. Acquire database info before running the script: You may get the db user, db name and PASSWORD_KEY values from database configmap with below commands: kubectl get cm default-database-configmap -n -o yaml The result is like: DEFAULT_DB_CDFIDM_PASSWORD_KEY: defaultdb_cdfidm_user_password DEFAULT_DB_CDFIDM_USERNAME: cdfidm DEFAULT_DB_HOST: xxxxxyyyyy.us-west-2.rds.amazonaws.com DEFAULT_DB_NAME: itom-cdf-idm 2. Get the cdfidm db password: kubectl get pod -n $CDF_NAMESPACE | grep "itom-idm" | head -1 | awk '{print $1}' kubectl exec -it -n $CDF_NAMESPACE -c idm -- get_secret For example: kubectl exec -it $(kubectl get pod -n $CDF_NAMESPACE | grep "itom-idm" | head -1 | awk '{print $1}') -n $CDF_NAMESPACE -c idm -- get_secret defaultdb_cdfidm_user_password Note: Record the database info and password, they will be used in execute command | https://docs.microfocus.com/doc/SMAX/24.2/ModifyExternalDBConfig | ||
SMAX & HCMX |
NOTE: The yaml file with new pem content replaced will be used in RDS certificate replacement.Reference: https://staging.docs.microfocus.com/doc/SMAX/Main/ChangeCertForPostgreSQL | https://docs.microfocus.com/doc/SMAX/24.2/ModifyExternalDBConfig | |||
CMS |
helm get values -n > values.yaml 2. Replace the content of caCertificates.postgresql.crt in values.yaml with the content of AWS RDS certificate bundle got at above step. Note:every line of certificate content starts with 4 indentations in values.yaml, for example:
| ||||
Audit |
helm get values -n > values.yaml 2. Replace the content of caCertificates.RE_ca_dbcrt in values.yaml with the content of AWS RDS certificate bundle got at above step. Note: every line of certificate content starts with 4 indentations in values.yaml, for example:
| ||||
Execute certificate update in application side Note: There is no dependency on each application. | OMT | Navigate to the $CDF_HOME/bin directory, run the updateExternalDbInfo.sh script with below parameters: ./updateExternalDbInfo.sh -H -p -d -u --dbpassword --component itom-idm --cacert For example: ./updateExternalDbInfo.sh -H xxxxyyyy.us-west-2.rds.amazonaws.com -p 5432 -d cdfidmdb -u cdfidm --dbpassword --component itom-idm --cacert /home/ssm-user/us-gov-west-1-bundle.pem Reference: https://docs.microfocus.com/doc/OMT/24.2/ModifyExternalDatabaseConfiguration | 1min | 0 | |
SMAX & HCMX |
| 4mins | 0 | ||
CMS |
NOTE: You may do this in parallel with SMAX restart | 1min | 0 | ||
Audit |
$CDF_HOME/bin/cdfctl runlevel set -l DOWN -n NOTE: You may do this in parallel with SMAX restart | 1min | 0 | ||
Restart pods (Alternative) | You may also do the helm upgrade for all products in parallel without restarting. Then do the restart against all products whose RDS certificates were changed For example: $CDF_HOME/bin/cdfctl runlevel set -l DOWN -n ,,, | 14mins | 14mins | ||
| Monitor the restart till all pods are started | kubectl get pod -n < ESM_NAMESPACE > |grep -v 1/1|grep -v 2/2|grep -v 3/3|grep -v 4/4|grep -v Completed | ||||
Update the certificates of AWS RDS DB instances. | Update the certificate on AWS RDS DB instances. | 1.Login AWS console, go to the RDS instances that you want to update the certificates. 2.Select the RDS instance, click modify button 3.Change the Certificate authority. If your primary certificate CA is rds-ca-2019, it's recommended to select the rds-ca-rsa4096-g1 CA as new value
4.Save the change and select immediate effect. 5.Repeat the steps for all your RDS instances | 2mins | 0 |
