HCL Component Pack – Certificates

Posted by

The default certificates for the Component Pack are valid for 2 years.
For example:

kubectl -n connections view-secret mongo-secret user_app-registry.pem | openssl x509 -noout -text


View-secret is an additional kubectl plugin. I use the https://krew.sigs.k8s.io/ plugin manager for easy install.

Without the view-secret plugin the date can be extracted like this:

kubectl get secret mongo-secret -n connections -o "jsonpath={.data.user_app-registry\.pem}" | base64 -d | openssl x509 -noout -enddate

What could happen when these certificates expire ? Nothing … until the pods get restarted… and the pods may fail to connect…

Fix:
Uninstall the bootstrap helm chart.

helm -n connections uninstall bootstrap

Re-install the bootstrap helm chart again with the env.force_regenerate=true. see HCL Help

For Component Pack 7 just add the value to the your YML file used during initial installation.

 

 

Verify that the certificates are upated and restart the Component Pack.
If you are using metrics or elasticsearch you need clean up the ES- SSL settings and run the enableSslForMetrics and enableSslForESSearch commands again.