ca¶
Important
You must have access to a recent backup of your MKE instance to run the ca command.
With the ca command you can make changes to the material of MKE Root CA servers. Specifically, you can set the server material to rotate automatically or you can replace it with your own certificate and private key.
The ca command must be run on a manager node:
docker container run --rm -it \
--name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
mirantis/ucp:3.x.y \
ca <command-options>
You can use the ca command with a provided Root CA certificate and
key by bind-mounting these credentials to the CLI container at /ca/cert.pem
and /ca/key.pem
, respectively:
docker container run -it --rm \
--name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /path/to/cert.pem:/ca/cert.pem \
-v /path/to/key.pem:/ca/key.pem \
mirantis/ucp:3.x.y \
ca <command-options>
The requirements for doing this are:
The MKE Cluster Root CA certificate must have
swarm-ca
as its common name.The MKE Client Root CA certificate must have
UCP Client Root CA
as its common name.The certificate must be a self-signed root certificate, and intermediate certificates are not allowed.
The certificate and key must be in PEM format without a passphrase.
The MKE etcd Root CA certificate must have
MKE etcd Root CA
as its common name.
Finally, to apply the certificates, you must reboot the manager nodes one at a time, making sure to reboot the leader node last.
Note
If there are unhealthy nodes in the cluster, CA rotation cannot complete. If the rotation is hanging, you can run the following command to determine whether any nodes are down or are otherwise unable to rotate TLS certificates:
docker node ls --format "{{.ID}} {{.Hostname}} {{.Status}} {{.TLSStatus}}"
Options¶
Option |
Description |
---|---|
|
Enables debug mode. |
|
Produces JSON-formatted output for easier parsing. |
|
Manipulates MKE Cluster Root CA. |
|
Manipulates MKE Client Root CA. |
|
Generates a new root CA certificate and key automatically. Default: |
|
Forces the CA change to occur even if the system does not have a recent backup. Default: |
|
Manipulates MKE etcd Root CA. |