This is an IBM Automation portal for Cloud Management, Technology Cost Management, Network Automation and AIOps products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).
We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:
Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,
Post an idea.
Get feedback from the IBM team and other customers to refine your idea.
Follow the idea through the IBM Ideas process.
Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.
IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.
ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.
This idea should definitely be implemented. My internal Kubernetes certs had expired, but I did not know it until I tried to do some RightSizing on a weekend. I had a limited change window, and support was unable to get Turbo working in time for me to do the RightSizing. I had put a lot of time and effort into negotiating the RightSizing and timing with the application team, and even though I worked for 7 hours on a Saturday, I wasn't able to accomplish anything. I can't try again until September due to the app team's schedule; so this issue really messed things up for me.
We had a meeting today with Billy and Jet to discuss incorporating the certificate renewal script into the online/offline upgrades. Billy has mentioned that the OVA upgrades are intended for upgrading Turbo components only and we should not add the certificate renewal to the Turbo upgrade script.
However, Jet has mentioned that he has encountered some issues with the kubeNodeCertUpdate.sh, where he has to reach out to Support because the cert update script did not move the files to the right location. As a next step, Jet is going to share the details of the cert update script issue and include info on the steps that Support used to solve the problems. Once we are clear on the issues, the kubeNodeCertUpdate.sh can be enhanced address those problems.
Hi Mitchell:
The k8s certificate renewal script is here: https://github.com/turbonomic/t8c-install/blob/master/bin/kubeNodeCertUpdate.sh
In my opinion the script above should be included as part of doing online or offline upgrades using the scripts below:
Online: https://github.com/turbonomic/t8c-install/blob/master/bin/onlineUpgrade.sh
Offline: https://github.com/turbonomic/t8c-install/blob/master/bin/offlineUpdate.sh
A further nice to have would be for the MariaDB upgrade to be included in the upgrade scripts above as well to have the MariaDB upgraded in the OVA when it is needed which that script is here:
https://github.com/turbonomic/t8c-install/blob/master/bin/mariadbUpgrade.sh
Thanks,
Russ and Jason - Can you attach a copy of the script please?
Hi Mitchell, this is only for the OVA when doing upgrades since it is a Turbo created single node cluster in the OVA. Deployments into k8s have their own certificates in the cluster that Turbo won't need to manage during upgrades as we don't deploy them in that case.
Thanks Jason for clarifying. Yes, I think it makes sense to proactively check for certificate expiry. You mentioned about the OVA in the comments, do we also to have the same check for K8S deployments as well? Wanted to see if this is a generic issue or only for OVA deployments.
Hi Mitchell, yes there was a misunderstanding between what I wrote and you interpreted as. It is as the guest replied below.
Hi Mitchell, this is only related to the kubernetes certificate expiring every year and there is no warning before it expires. Currently the only check for this is the upgrade-precheck script. This Idea is to have the k8s certificate renewal process in the OVA done as part of upgrades to prevent this from happening going forward and causing the instance to be down without warning
We have a health check feature where the UI alerts the user when the targets are not validating. It is also available via Turbo API so that user can check the target validation status in an automated fashion. Any reason why the customer is not using this feature?