Updating database certificate in DBaaS
Create Secret containing DBaaS CA certificates. NetBackup version 10.4 and later stores db cert in db-cert configMap instead of KeyVault/SecretsManager secret. The db-cert configMap is created by trust manager.
:
Skip the steps in this section when using containerized Postgres.
The steps in this section are only required for upgrading from 10.4 and 10.4.0.1 (non-decoupled services) to 10.5 and above (decoupled services).
Upgrade from embedded to DBaaS is not supported.
Perform the following to create Secret containing DBaaS CA certificates:
AKS-specific:
DIGICERT_ROOT_CA='/tmp/root_ca.pem' DIGICERT_ROOT_G2='/tmp/root_g2.pem' MS_ROOT_CRT='/tmp/ms_root.crt' COMBINED_CRT_PEM='/tmp/tls.crt' DIGICERT_ROOT_CA_URL="https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem"; DIGICERT_ROOT_G2_URL="https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem"; MS_ROOT_CRT_URL="http://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt"; curl ${DIGICERT_ROOT_CA_URL} --output ${DIGICERT_ROOT_CA} curl ${DIGICERT_ROOT_G2_URL} --output ${DIGICERT_ROOT_G2} curl ${MS_ROOT_CRT_URL} --output ${MS_ROOT_CRT} openssl x509 -inform DER -in ${MS_ROOT_CRT} -out ${COMBINED_CRT_PEM} -outform PEM cat ${DIGICERT_ROOT_CA} ${DIGICERT_ROOT_G2} >> ${COMBINED_CRT_PEM} kubectl -n netbackup create secret generic postgresql-netbackup-ca --from-file ${COMBINED_CRT_PEM}EKS-specific:
TLS_FILE_NAME='/tmp/tls.crt' PROXY_FILE_NAME='/tmp/proxy.pem' rm -f ${TLS_FILE_NAME} ${PROXY_FILE_NAME} DB_CERT_URL="https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem" DB_PROXY_CERT_URL="https://www.amazontrust.com/repository/AmazonRootCA1.pem" curl ${DB_CERT_URL} --output ${TLS_FILE_NAME} curl ${DB_PROXY_CERT_URL} --output ${PROXY_FILE_NAME} cat ${PROXY_FILE_NAME} >> ${TLS_FILE_NAME} kubectl -n netbackup create secret generic postgresql-netbackup-ca --from-file ${TLS_FILE_NAME}
Restart the primary pod using the following command:
kubectl rollout restart "statefulset/${PRIMARY}" --namespace "${NAMESPACE}"