ca¶
The ca command allows you to make changes to the material of MKE Root CA servers. Specifically, you can automatically rotate the server material or replace it with your own certificate and private key.
Note
If there are unhealthy nodes in the cluster, CA rotation will be unable to complete. If rotation seems to be hanging, run docker node ls --format "{{.ID}} {{.Hostname}} {{.Status}} {{.TLSStatus}}" to determine whether any nodes are down or are otherwise unable to rotate TLS certificates.
To run the ca command you must have a recent backup of your MKE instance.
The ca command must be be run on a manager node:
docker container run --rm -it \
--name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
mirantis/ucp:3.x.y \
ca <command-options>
You can use the ca command with a provided root CA certificate and
key by bind-mounting these credentials to the CLI container at /ca/cert.pem
and /ca/key.pem, respectively.
Note
The MKE Cluster Root CA certificate must have
swarm-caas its common name.The MKE Client Root CA certificate must have
UCP Client Root CAas its common name.The certificate must be a self-signed root certificate, and intermediate certificates are not allowed.
The certificate and key must be in PEM format without a passphrase.
The MKE etcd Root CA certificate must have
MKE etcd Root CAas its common name.
docker container run -it --rm \
--name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /path/to/cert.pem:/ca/cert.pem \
-v /path/to/key.pem:/ca/key.pem \
mirantis/ucp:3.x.y \
ca <command-options>
Options¶
Option |
Description |
|---|---|
|
Enables debug mode. |
|
Produces JSON-formatted output for easier parsing. |
|
Manipulates MKE Cluster Root CA. |
|
Manipulates MKE Client Root CA. |
|
Generates a new root CA certificate and key automatically. Default: |
|
Forces the CA change to occur even if the system does not have a recent backup. Default: |
|
Manipulates MKE etcd Root CA. |