Export feedback fixes (#886)

SUSE · Jun 22, 2020 · 81b8892 · 81b8892
1 parent 858c8ee
commit 81b8892
Showing 1 changed file with 42 additions and 10 deletions.
diff --git a/xml/cap_admin_upgrade.xml b/xml/cap_admin_upgrade.xml
@@ -153,31 +153,63 @@
       Rotate secrets and database encryption key. Do not copy the example as is, ensure a secure key is used in place of the example value of <replaceable>abcdef</replaceable>.
      </para>
      <substeps>
+      <step>
+       <para>
+        If the deployment uses an embedded UAA or an external UAA with a
+        certificate signed by a well known Certificate Authority (CA), skip this
+        step.
+       </para>
+       <para>
+        For deployments using an external UAA with either a certificate
+        generated by the secret-generator or a self-signed certificate, the
+        UAA's CA cert (<literal>UAA_CA_CERT</literal>) must be set in the
+        <command>helm upgrade</command> command.
+       </para>
+       <para>
+        Obtain your UAA secret and certificate: 
+       </para>
+<screen>&prompt.user;SECRET=$(kubectl get pods --namespace uaa \
+--output jsonpath='{.items[?(.metadata.name=="uaa-0")].spec.containers[?(.name=="uaa")].env[?(.name=="INTERNAL_CA_CERT")].valueFrom.secretKeyRef.name}')
+
+&prompt.user;CA_CERT="$(kubectl get secret $SECRET --namespace uaa \
+--output jsonpath="{.data['internal-ca-cert']}" | base64 --decode -)"
+</screen>
+       <para>
+        Then include <command>--set "secrets.UAA_CA_CERT=${CA_CERT}"</command>
+        as part of the <command>helm upgrade</command> command in the next step. 
+       </para>
+      </step>
       <step>
        <para>
         Use <command>helm upgrade</command> to apply the configuration update
-        and rotate all generated secrets. If secrets have been rotated
-        previously (<literal>kube.secrets_generation_counter</literal> has
-        already been set), be sure the new value provided is an increment of the
-        existing one.
+        and rotate all generated secrets.
+       </para>
+       <para>
+        If secrets have been rotated previously 
+        <literal>kube.secrets_generation_counter</literal> has
+        already been set), be sure the new value provided for
+        <literal>kube.secrets_generation_counter</literal> is an increment of
+        the existing one.
        </para>
 <screen>&prompt.user;helm upgrade susecf-scf suse/cf \
---namespace <replaceable>kubecf</replaceable> \
+--namespace <replaceable>scf</replaceable> \
 --set env.CC_DB_CURRENT_KEY_LABEL=<replaceable>NEW_KEY</replaceable> \
 --set secrets.CC_DB_ENCRYPTION_KEYS.<replaceable>NEW_KEY</replaceable>=<replaceable>abcdef</replaceable> \
---set kube.secrets_generation_counter=<replaceable>2</replaceable>
+--set kube.secrets_generation_counter=<replaceable>2</replaceable> \
 --values scf-config-values.yaml \
 --version 2.20.3
 </screen>
+       <para>
+        Wait until all pods are ready. To monitor the progress run the following
+        command.
+     </para>
+<screen>&prompt.user;watch --color &apos;kubectl get pods --namespace scf&apos;</screen>
       </step>
       <step>
        <para>
         With the new encryption key in place, perform the rotation.
        </para>
-<screen>&prompt.user;kubectl exec --namespace scf api-group-0 -- bash -c 'source /var/vcap/jobs/cloud_controller_ng/bin/ruby_version.sh; \
-    export CLOUD_CONTROLLER_NG_CONFIG=/var/vcap/jobs/cloud_controller_ng/config/cloud_controller_ng.yml; \
-    cd /var/vcap/packages/cloud_controller_ng/cloud_controller_ng; \
-    bundle exec rake rotate_cc_database_key:perform'
+<screen>&prompt.user;kubectl exec --namespace scf api-group-0 -- bash -c 'source /var/vcap/jobs/cloud_controller_ng/bin/ruby_version.sh; export CLOUD_CONTROLLER_NG_CONFIG=/var/vcap/jobs/cloud_controller_ng/config/cloud_controller_ng.yml; cd /var/vcap/packages/cloud_controller_ng/cloud_controller_ng; bundle exec rake rotate_cc_database_key:perform'
 </screen>
       </step>
       <step>