Backup and restore ACS Central instance without losing Secured Cluster access
Issue
-
Sensor pod logs errors like:
common/sensor: 2022/10/06 12:08:16.682545 sensor.go:255: Warn: Error fetching centrals TLS certs: verifying tls challenge: validating certificate chain: using a certificate bundle that was generated from a different Central installation than the one it is trying to connect to: x509: certificate signed by unknown authority common/sensor: 2022/10/06 12:08:16.682624 sensor.go:237: Info: Did not add central CA cert to gRPC connection common/sensor: 2022/10/06 12:08:16.788970 sensor.go:318: Error: Sensor reported an error: opening stream: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: verifying Central certificate errors: [x509: certificate is valid for central.stackrox, central.stackrox.svc, not central-stackrox.apps.openshift.cluster.local, x509: certificate signed by unknown authority]" main: 2022/10/06 12:08:16.789044 main.go:58: Fatal: Sensor exited with error: opening stream: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: verifying Central certificate errors: [x509: certificate is valid for central.stackrox, central.stackrox.svc, not central-stackrox.apps.openshift.cluster.local, x509: certificate signed by unknown authority]"
- After Central restore, Secured Clusters cannot connect to Central anymore
- Secured Cluster init bundles need to be regenerated after Central restore
- The new Central certificate generated during ACS reinstallation is issued by a different Certification Authority and existing Secured Clusters don't trust it anymore
Environment
- Red Hat Advanced Cluster Security for Kubernetes (RHACS)
- RHACS securedCluster
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.