How do I update the Kubernetes registry TLS certificate?
Purpose
CAUTION Potential Service Disruption |
Performing the procedure restarts the containerd service, which is temporarily service-affecting.
Ensure that you perform the procedure only during a scheduled maintenance window under the guidance of technical support.
Under normal operating conditions, the NSP Kubernetes registry certificate renews automatically, and no manual action is required. However, if the certificate is corrupt, the auto-renewal fails, or as a regular security exercise, you can use the following steps to update the certificate manually.
Note: You require root user privileges on the NSP deployer host.
Note: release-ID in a file path has the following format:
R.r.p-rel.version
where
R.r.p is the NSP release, in the form MAJOR.minor.patch
version is a numeric value
Steps
1 |
Log in as the root or NSP admin user on the NSP deployer host. |
2 |
Open a console window. |
3 |
Enter the following: # cd /opt/nsp/nsp-registry-release-ID/bin ↵ |
4 |
Enter the following to update the certificate: # ./nspregistryctl update -c ↵ The NSP container registry certificate is updated. |
5 |
Enter the following: # cd /opt/nsp/nsp-k8s-deployer-release-ID/bin ↵ |
6 |
Enter the following to update the certificate on each NSP cluster member: # ./nspk8sctl update -r ↵ The update is performed, and the containerd service restarts. |
7 |
Log in as the root or NSP admin user on the NSP cluster host. |
8 |
Open a console window. |
9 |
Enter the following to ensure that all system pods are running after the certificate update: # kubectl get pods -A ↵ The status of each pod is listed; the NSP cluster is operational when each pod STATUS value is Running or Completed. |
10 |
If the cluster fails to become operational after the typical initialization period, record the cluster status and contact technical support. |
11 |
When the cluster is operational, close the console window. End of steps |