Post-installation tasks

Consider the following tasks after installing Event Processing and Flink.

Verifying an installation

To verify that your Event Processing and Flink installations deployed successfully, you can check the status of your instances either by using the command line (CLI), or if running on OpenShift Container Platform, by using the web console (UI).

Using the OpenShift Container Platform UI

For Event Processing:

Log in to the OpenShift Container Platform web console using your login credentials.
Expand the Operators dropdown and select Installed Operators to open the Installed Operators page.
Expand the Project dropdown and select the project the instance is installed in. Click the operator called IBM Event Processing managing the project.
Select the EventProcessing tab and search for the installed instance(s).
The Status column displays the current state of the EventProcessing custom resource. When the Event Processing instance is ready, the phase displays Phase: Running.

For Flink:

Log in to the OpenShift Container Platform web console using your login credentials.
Expand the Operators dropdown and select Installed Operators to open the Installed Operators page.
Expand the Project dropdown and select the project the instance is installed in. Click the operator called IBM Operator for Apache Flink.
Select the FlinkDeployment tab and click the installed instance.
Select the YAML tab.
The status field displays the current state of the FlinkDeployment custom resource. When the Flink instance is ready, the custom resource displays status.lifecycleState: STABLE and status.jobManagerDeploymentStatus: READY.

Using the CLI

After all the components of an Event Processing instance are active and ready, the EventProcessing custom resource will have a Running phase in the status.

To verify the status:

For Event Processing, run the following command:

kubectl get eventprocessing <instance-name> -n <namespace> -o jsonpath='{.status.phase}'

An example output for a successful deployment:

kubectl get eventprocessing development -n myepnamespace -o jsonpath='{.status.phase}'
Running

For Flink, run the following commands:

kubectl get flinkdeployment <instance-name> -n <namespace> -o jsonpath='{.status.lifecycleState}'
kubectl get flinkdeployment <instance-name> -n <namespace> -o jsonpath='{.status.jobManagerDeploymentStatus}'

An example output for a successful deployment:

kubectl get flinkdeployment session-cluster-quick-start -n myepnamespace -o jsonpath='{.status.lifecycleState}'
STABLE
kubectl get flinkdeployment session-cluster-quick-start -n myepnamespace -o jsonpath='{.status.jobManagerDeploymentStatus}'
READY

Note: It might take several minutes for all the resources to be created and the instance to become ready.

Setting up access

After the Event Processing instance is successfully created, set up user authentication and authorization for your chosen implementation. Event Processing supports locally defined authentication for testing purposes and OpenID Connect (OIDC) authentication for production purposes.

If you have selected LOCAL authentication, ensure you create user credentials before you access the Event Processing instance. For more information, see managing access.
After setting up LOCAL or OIDC authentication, assign users to roles. For more information, see managing roles.

Backup the data encryption key

The secret <instance-name>-ibm-ep-mek contains an important key for decrypting the data stored by Event Processing. Ensure you back up and store the key safely outside your cluster.

To save the key to a file, complete the following steps.

Run the following command to retrieve the encryption secret:

kubectl get secret <instance-name>-ibm-ep-mek -n <namespace>

Create a backup of the encryption secret with the command:
```
kubectl get secret <instance-name>-ibm-ep-mek -n <namespace> -o yaml > encryption-secret.yaml
```
This command retrieves the encryption secret in YAML format and redirects the output to a file named encryption-secret.yaml.
Ensure that the backup file (encryption-secret.yaml) is stored in a secure location outside the cluster.

Updating and renewing certificates

After installing Event Processing, you can manage your certificates with the Cert Manager operator. Follow the instructions to update and renew your certificates.

Renew an existing certificate

You can use the Cert Manager to renew and regenerate a certificate if the secret for the certificate is deleted. You can also use the Cert Manager to renew your expired certificates.

By using the CLI

You can also renew a certificate by deleting the existing secret. You can do this by using the kubectl command as follows:

Log in to your Kubernetes cluster as a cluster administrator by setting your kubectl context.
Ensure you are in the namespace where your Event Processing instance is installed:
```
kubectl config set-context --current --namespace=<namespace>
```
Run the following command to display the Event Processing instances:
```
kubectl get eventprocessing
```
Run the following command to display the name of the secret representing the certificate for Event Processing:
```
kubectl get eventprocessing <instance_name> --template '{ {.spec.authoring.tls.caSecretName} }'
```
Run the following command to delete and regenerate the value of the certificate:
```
kubectl delete secret <secret_name>
```

By using `cmctl`

Cert Manager provides the cert-manager Command Line Tool (cmctl) for managing and renewing certificates.

Install the cert-manager Command Line Tool (cmctl).
Log in to your Kubernetes cluster as a cluster administrator by setting your kubectl context.
Ensure you are in the namespace where your Event Processing instance is installed:
```
kubectl config set-context --current --namespace=<namespace>
```
View the certificates of your Event Processing instance by running the following command:
```
kubectl get certificate
```
View the status of an existing certificate by running the following command:
```
cmctl status certificate <certificate_name>
```
Renew a certificate by running the following command:
```
cmctl renew <certificate_name>
```

By using the OpenShift web console

If running on the OpenShift Container Platform, you can also renew a certificate by deleting the existing secret. You can do this in the OpenShift web console as follows:

Log in to the OpenShift Container Platform web console using your login credentials.
Expand the Operators dropdown and select Installed Operators to open the Installed Operators page.
Expand the Project dropdown and select the project the instance is installed in. Click the operator called IBM Event Processing managing the project.
Select the Event Processing tab and search the Name column for the installed instance and click it.
In the EventProcessing details dashboard, scroll down and locate the Ca Secret Name field, and then click the linked secret.
Click the Actions menu, and select Delete secret.

Note: Following deleting the secret, you will be navigated back to the Secrets page. Your deleted secret will have been regenerated with a new value, which will be used for your certificate in the IBM Cert Manager.

By using the OpenShift CLI (`oc`)

You can also renew a certificate by deleting the existing secret. You can do this by using the oc CLI as follows:

Log in to your Red Hat OpenShift Container Platform as a cluster administrator by using the oc CLI (oc login).
Ensure you are in the project where your Event Processing instance is installed:
```
oc project <project_name>
```
Run the following command to display the Event Processing instances:
```
oc get eventprocessing
```
Run the following command to display the name of the secret representing the certificate for Event Processing:
```
oc get eventprocessing <instance_name> --template '{ {.spec.authoring.tls.caSecretName} }'
```
Run the following command to delete and regenerate the value of the certificate:
```
oc delete secret <secret_name>
```

Update a certificate to use an external secret

You can provide an externally generated certificate to the Cert Manager. To use an externally generated certificate, update the Event Processing instance to use the external certificate as follows.

Generate a certificate externally

You can generate a certificate externally to register with Event Processing. There are several ways to generate a certificate externally. For example, you can create a certificate by using openssl as follows.

Generate a certificate key file by using openssl:
```
openssl genrsa --out ca.key 4096
```

Generate a CA certificate by using the key file:

openssl req -new -x509 -sha256 -days 10950 -key ca.key -out ca.crt

Register an externally generated certificate

Log in to your Kubernetes cluster as a cluster administrator by setting your kubectl context.
Ensure you are in the namespace where your Event Processing instance is installed:
```
kubectl config set-context --current --namespace=<namespace>
```
Encode your externally generated certificates to Base 64 format, and make a note of the values:

base64 -i ca.crt

base64 -i ca.key

Create a YAML file called secret.yaml with the following content:

 apiVersion: v1
 kind: Secret
 metadata:
   name: ibm-ca-secret
   namespace: <ep namespace>
 type: Opaque
 data:
   ca.crt: <base 64 value for ca.crt>
   tls.crt: <base 64 value for ca.crt>
   tls.key: <base 64 value for ca.key>

Apply the secret by running the following command:
```
kubectl apply -f secret.yaml
```
Edit the custom resource of the Event Processing instance by running the following command:
```
kubectl edit eventprocessing <instance-name>
```
Locate and update the spec.tls.caSecretName field to ibm-ca-secret, then save and exit.

This will update the certificate used in your Event Processing instance. Your pods will reload with the latest certificates in use.