Platform9 Edge Cloud
Latest
Frequently Asked Questions
How To
Solution
Internal Only
Templates
Powered By
Title
Message
Create new category
What is the title of your new category?
Edit page index title
What is the title of the page index?
Edit category
What is the new title of your category?
Edit link
What is the new title and URL of your link?
Refresh Cluster CA
Copy Markdown
Open in ChatGPT
Open in Claude
The cluster CA cannot be rotated without an upgrade to LTS2. On LTS1, the only way is to adjust the TTL of the certs that the CA signs to be less than the expiry of the CA.
Please run the following steps inside the DU VM as root:
Open /etc/pf9-vault.d/server-config.hcl . It would look something like below:
Bash
xxxxxxxxxxstorage "mysql" { database = "qbert" table = "vault" username = "qbert" password = "*************" address = "localhost:3306"} listener "tcp" { address = "localhost:8200" tls_disable = 1} default_lease_ttl = "26280h"max_lease_ttl = "26280h"Adjust the default_lease_ttl and max_lease_ttl to a time lesser than remaining CA time.
Once this is done, restart the pf9-vault service:
Bash
xxxxxxxxxxsystemctl restart pf9-vaultAfter the vault service is restarted on the DU, the nodelet phases needs to be restarted on all nodes to generate new certificates with the updated TTL value.
Given that this involves a stack restart - workloads will be affected. Please run this within a maintenance window.
Run this command on all nodes:
Bash
xxxxxxxxxxsystemctl stop pf9-hostagent pf9-nodeletd/opt/pf9/nodelet/nodeletd phases restart --regen-certssystemctl start pf9-hostagentVariableType to search · ESC to discard
GlossaryType to search · ESC to discard
InsertType to search · ESC to discard
No matches
Last updated on
Was this page helpful?
Next to read:
Refresh Sunpike CADiscard Changes
Do you want to discard your current changes and overwrite with the template?
Archive Synced Block
Message
Create new Template
What is this template's title?
Delete Template
Message