Optional Upgrade
(Optional) Upgrade Connect control from Application-Operation-Manager to Platform-Manager
Objective
Upgrade of the Connect configuration to not rely on Application Operation Manager in the Platform Manager.
Execution
Platform Manager
In the platform-manager section,
change the config.axual configuration
to use Connect configuration and not Application-Operation-Manager configuration
|
You need
to provide the Axual Connect configuration for all |
values.yaml
axual-governance:
platform-manager:
config:
axual:
# Application Operation Manager Configuration
operation-manager:
available: false
authorizer: tls
base-uri: https://[existing-aom-url]:[existing-aom-port]
# Axual Connect Configuration
connect:
available: true
instance-connect-credentials:
tenant1ShortName-instance1shortName:
authorizer: basic
username: [connect-username-for-tenant1-instance1]
password: [connect-password-for-tenant1-instance1]
tenant1ShortName-instance2shortName:
authorizer: basic
username: [connect-username-for-tenant1-instance2]
password: [connect-password-for-tenant1-instance2]
tenant2ShortName-instance2shortName:
authorizer: basic
username: [connect-username-for-tenant2-instance1]
password: [connect-password-for-tenant2-instance1]|
Please note
that the client TrustStore and TrustStorePassword
which are used to get access to connect over SSL
are provided by default when |
Once the platform-manager section have been updated,
upgrade the Governance application.
Verification
In this step, we are going to verify that the new Platform Manager configuration can interact with any Axual Connect directly.
Open a browser and access https://[mgmt-ingress-host]/login/[your-realm]
Verify that you can perform the below actions for all Instances using Axual Connect.
-
view the status of a running connector
-
start/stop a running connector
If all checks are successful, you can proceed to the next steps.
Post verification
Once you have verified that the new Platform Manager configuration works, you can disable the Application Operation Manager running in the existing Management stack deployment.
values.yaml
global:
mgmt:
operationManager:
enabled: falseUpgrade the existing Management stack deployment to disable the Application-Operation-Manager.
(Optional) Upgrade Connect’s Vault from one per Platform-Manager to one per Axual-Connect
Objective
Make the Connect’s Vault configuration to be separated for each Tenant-Instances Axual-Connect
Execution
Platform Manager
In the platform-manager section,
change the config configuration
to use Connect’s Vault configuration for each Tenant-Instance.
|
You need
to provide the Connect’s Vault configuration for all |
values.yaml
axual-governance:
platform-manager:
config:
# Connectors Vault Configuration
connectorVault:
# -- Enable Connect Support
enabled: true
# -- Vault Instance for each Tenant-Instance
instances:
tenant1ShortName-instance1shortName:
# -- The URI of the Vault for the Tenant-Instance
uri: https://[vault-url]:[vault-port]
# -- (Optional) The Namespace of the Vault for the Tenant-Instance
# namespace: "[your-connect-namespace]"
# -- The path of the `connectors` KV secrets defined for the Tenant-Instance
connectorsPath: "connectors"
# -- The RoleID of the Vault policy to access the `connectors` KV secrets for this Tenant-Instance
roleId: "[existing-platform-manager-policy-role-id]"
# -- The SecretID of the Vault policy to access the `connectors` KV secrets for this Tenant-Instance
secretId: "[existing-platform-manager-policy-secret-id]"
# -- The Name identifying the `private.key` of the Connector for the Tenant-Instance
privateKeyName: "private.key"
# -- The Name identifying the `certificate.chain` of the Connector for the Tenant-Instance
certChainKeyName: "certificate.chain"
tenant1ShortName-instance2shortName:
# -- The URI of the Vault for the Tenant-Instance
uri: https://[vault-url]:[vault-port]
# -- (Optional) The Namespace of the Vault for the Tenant-Instance
# namespace: "[your-connect-namespace]"
# -- The path of the `connectors` KV secrets defined for the Tenant-Instance
connectorsPath: "connectors"
# -- The RoleID of the Vault policy to access the `connectors` KV secrets for this Tenant-Instance
roleId: "[existing-platform-manager-policy-role-id]"
# -- The SecretID of the Vault policy to access the `connectors` KV secrets for this Tenant-Instance
secretId: "[existing-platform-manager-policy-secret-id]"
# -- The Name identifying the `private.key` of the Connector for the Tenant-Instance
privateKeyName: "private.key"
# -- The Name identifying the `certificate.chain` of the Connector for the Tenant-Instance
certChainKeyName: "certificate.chain"
tenant2ShortName-instance2shortName:
# -- The URI of the Vault for the Tenant-Instance
uri: https://[vault-url]:[vault-port]
# -- (Optional) The Namespace of the Vault for the Tenant-Instance
# namespace: "[your-connect-namespace]"
# -- The path of the `connectors` KV secrets defined for the Tenant-Instance
connectorsPath: "connectors"
# -- The RoleID of the Vault policy to access the `connectors` KV secrets for this Tenant-Instance
roleId: "[existing-platform-manager-policy-role-id]"
# -- The SecretID of the Vault policy to access the `connectors` KV secrets for this Tenant-Instance
secretId: "[existing-platform-manager-policy-secret-id]"
# -- The Name identifying the `private.key` of the Connector for the Tenant-Instance
privateKeyName: "private.key"
# -- The Name identifying the `certificate.chain` of the Connector for the Tenant-Instance
certChainKeyName: "certificate.chain"|
You can use the same Vault URI, in that case the separation will be logical and not physical. |
Verification
In this step, we are going to verify that the new Platform Manager configuration can interact with Connect’s Vault for each Axual Connect Tenant-Instance.
Open a browser and access https://[mgmt-ingress-host]/login/[your-realm]
Verify that you can perform the below actions for all Instances using Axual Connect.
-
upload a certificate/privateKey for a new connector
-
start/stop a running connector
If all checks are successful, you can proceed to the next steps.