7 Migrating to OCCM Managed Certificates

Caution:

  • It is expected that there will be downtime when the services are migrated to use the new certificates generated by the OCCM. The amount of downtime will depend on the method of migration performed as described below.
  • This procedure is applicable when certificates are being migrated within the same release.

This section provides information on how to migrate the certificates initially created by following the section "Configuring SSL or TLS Certificates" during OCNADD installation.

The below steps can be followed to use certificates created by OCCM:

  1. Upgrading the Helm Charts: No configuration or the existing data will be lost. Expected downtime will be equal to time taken to upgrade worker group + time taken to upgrade consumer adapter and correlation + time taken for kafka-broker and zookeeper to stabilize.

7.1 Upgrading the Helm Charts

Caution:

Migration is supported only for current release version.

To manually create certificates for OCNADD, follow these steps:

  1. Follow the steps to create secrets for OCCM for each management and worker group namespace as specified in the OCCM Prerequisites for Installing OCNADD section.
  2. Enable the OCCM based certificate management in the Management and Worker group custom-values. For descriptions of the Helm parameters required for enabling OCCM, see Helm Parameter Configuration for OCCM.
  3. Upgrade the Management group helm chart:
    helm upgrade <management-release-name> -f ocnadd-custom-values-<mgmt-group>.yaml --namespace <management-group-namespace> <helm_chart>
    For example:
    helm upgrade ocnadd-mgmt -f ocnadd-custom-values-mgmt-group.yaml --namespace dd-mgmt-group ocnadd_mgmt

    Note:

    The Admin service restart is expected until the Worker group certificate migrations are completed.
  4. Upgrade the Worker group helm chart:
    helm upgrade <worker-group-release-name> -f ocnadd-custom-values-<wg-group>.yaml --namespace <worker-group-namespace> <helm_chart>
    For example:
    helm upgrade ocnadd-wg1 -f ocnadd-custom-values-wg1-group.yaml --namespace dd-worker-group1 ocnadd_wg1
  5. Update the Worker group namespace in global.env.admin.OCNADD_UPGRADE_WG_NS of the Manamgment group custom-values.yaml file:
    global:
  env:
    admin:
      OCNADD_UPGRADE_WG_NS: dd-worker-group1                                  # Where dd-worker-group1 is the namespace of the worker group service
  6. Perform helm upgrade using the Management group charts:
    helm upgrade <management-group-release-name> -f <management-group-custom-values> -n <management-group-ns> <ocnadd-helm-chart-location> --set global.env.admin.OCNADD_INGRESS_ADAPTER_UPGRADE_ENABLE=true,global.env.admin.OCNADD_ADAPTER_UPGRADE_ENABLE=true,global.env.admin.OCNADD_CORR_UPGRADE_ENABLE=true,global.env.admin.OCNADD_STORAGE_ADAPTER_UPGRADE_ENABLE=true
    For example:
    helm upgrade ocnadd-mgmt -f ocnadd-custom-values-mgmt-group.yaml -n dd-mgmt-group ocnadd_mgmt --set global.env.admin.OCNADD_INGRESS_ADAPTER_UPGRADE_ENABLE=true,global.env.admin.OCNADD_ADAPTER_UPGRADE_ENABLE=true,global.env.admin.OCNADD_CORR_UPGRADE_ENABLE=true,global.env.admin.OCNADD_STORAGE_ADAPTER_UPGRADE_ENABLE=true
  7. Now, delete and re-create all the Data Feeds with the same name and select "Resume from point of failure" in the "Handle Failure" page.
  8. If multiple Worker groups are present, repeat steps 5 to 7 for each Worker group.