Updating the Certificate Authority Bundle

The Certificate Authority (CA) bundle for Private Cloud Appliance is downloaded and made available to a cluster when the cluster is created. The CA bundle includes the certificate, private and public keys, and other authorization information.

The CA bundle is automatically updated when regular certificate rotation occurs or when the Private Cloud Appliance is upgraded.

When the CA bundle is updated on the appliance, it must be updated on the local system that you use to manage the OKE service. For example, the CA bundle authorizes the use of the OCI CLI and Compute Enclave API. You replace the CA bundle in your ~/.oci configuration so that you can run OCI CLI commands as described in Obtaining the Certificate Authority Bundle. For clusters, the CA bundle update is automated.

A process runs every hour to check the validity of the CA bundle in OKE clusters and updates the CA bundle if it has been updated on the appliance.

If you need to update the CA bundle between these hourly checks, you can run the process manually:

  1. Log onto the management node of the Private Cloud Appliance as a system administrator with root privilege.

  2. Get the name of an OKE pod.

    The following command lists the OKE pods in the oke namespace:

    # kubectl get pod -n oke -l app=oke
  3. Run the command to update the CA bundle.

    Use one of the oke-uniqueID pod names from the preceding step.

    # kubectl exec -it oke-6c4d85d6f-72fxs -n oke -c oke -- /usr/bin/pca-oke-cluster-tool

You can check Loki logs in Grafana for any errors that might have occurred when this process ran either automatically or manually. See Loki Logs.