Updating Git CA Certificate

A Git CA certificate is used to verify the authenticity of SSL/TLS connections when interacting with remote Git repositories over HTTPS. You must update the Git CA certificate regularly to ensure secure communication by validating the identity of the server.

To update the Git CA certificate, perform the following tasks:

1. Go to the certs directory in the SCM instance:

   docker exec -it cloudmanager bash
   cd /home/opc/certs

2. Copy the certificate (new rootCA.crt file) to the certs directory.
3. Copy the certificate to the /etc/pki/ca-trust/source/anchors directory:

   sudo cp rootCA.crt /etc/pki/ca-trust/source/anchors/

4. Add the certificate to the trusted certificates:

   sudo /bin/update-ca-trust

5. Delete the secret flux-system:

   source /home/opc/siebel/<env_id>/k8sprofile 
   kubectl -n <namespace> delete secret flux-system

6. Set the GIT_PASSWORD environment variables:

   export GIT_PASSWORD=<git_accesstoken>

7. Execute the flux bootstrap with the certificate:

   flux.sh bootstrap git --components-extra=image-reflector-controller,image-automation-controller --url=https://<GIT_HOSTNAME>/<GIT_USER>/<Cloud manager repository>  --namespace=<NAMESPACE> --branch=master --path='flux-crm/clusters/staging' --log-level debug --watch-all-namespaces=false --image-pull-secret ocirsecret --registry <CONTAINER_REGISTRY_URL>/fluxcd --username=<GIT_USER> --silent --token-auth --ca-file=<GIT_SELFSIGNED_CACERT_PATH>

8. Verify the health of the components in the flux bootstrap response.
9. Update the certificate in the Git repositories:
   1. Update in the SCM repository as follows:

      cd /home/opc/siebel/<env_id>/<Cloud manager repository name>
      git config --local http.sslCAInfo <CA Certificate Path>

   2. Update in the Helm charts repository as follows:

      cd /home/opc/siebel/<env_id>/<Helm chart repository name>
      git config --local http.sslCAInfo <CA Certificate Path>