How do I update the K3s certificate for an NSP deployer host VM?

Purpose

Under normal operating conditions, the NSP deployer host TLS certificate renews automatically, and no manual action is required. However, if the certificate is corrupt, the auto-renewal fails, or as a regular security exercise, you can use the following steps to update the certificate manually.

Note: You require root user privileges on the NSP deployer host.

Note: release-ID in a file path has the following format:

R.r.p-rel.version

where

R.r.p is the NSP release, in the form MAJOR.minor.patch

version is a numeric value

Steps
 

Log in as the root user on the NSP deployer host.


Open a console window.


Enter the following:

cd /opt/nsp/nsp-registry-release-ID/bin ↵


Enter the following to update the certificate:

./nspregistryctl update --k3s-cert ↵

The NSP updates the certificate and creates a new renewal schedule based on the current time.


Enter the following to ensure that all pods are running after the certificate update:

Note: The nsp deployer log file is /var/log/nspdeployerctl.log.

kubectl get pods -A ↵

The status of each pod is listed; the NSP cluster is operational when each pod STATUS value is Running or Completed.


If the cluster fails to become operational after the typical initialization period, record the cluster status and contact technical support.


When the cluster is operational, close the console window.

End of steps