Bug 1275648
Summary: | Tooling for certificate maintenance | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Josep 'Pep' Turro Mauri <pep> | |
Component: | RFE | Assignee: | Andrew Butcher <abutcher> | |
Status: | CLOSED ERRATA | QA Contact: | Gaoyun Pei <gpei> | |
Severity: | urgent | Docs Contact: | ||
Priority: | urgent | |||
Version: | 3.0.0 | CC: | adellape, aleksandar.lazic, aos-bugs, bleanhar, bvincell, clichybi, erich, fweimer, gpei, javier.ramirez, jdetiber, jkaur, jokerman, misalunk, mmccomas, pep, rhowe, stwalter | |
Target Milestone: | --- | Flags: | jdetiber:
needinfo-
|
|
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: |
Administrators can now backup and redeploy cluster certificates using the following Ansible playbook:
$ ansible-playbook -i <inventory_file> \
/usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml
By default, the playbook retains the current OpenShift Enterprise CA. To replace the CA with a generated or custom CA:
$ ansible-playbook -i <inventory_file> \
/usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml \
--extra-vars "openshift_certificates_redeploy_ca=true"
|
Story Points: | --- | |
Clone Of: | ||||
: | 1387719 (view as bug list) | Environment: | ||
Last Closed: | 2016-08-18 19:27:59 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1267746, 1387719 |
Description
Josep 'Pep' Turro Mauri
2015-10-27 12:29:43 UTC
Do we have any update on this? Any estimate for the fix and/or any known workaround ? Yes, Do we have any workaround as of now if the certificates gets corrupted anyhow or we need to correct it. Regards, Jaspeeer This is still planned for 3.3. The card is in progress now. While we wait for the automated tooling: there are some manual steps in upstream (Origin) docs about updating certificates: https://docs.openshift.org/latest/install_config/upgrading/manual_upgrades.html#manual-updating-master-and-node-certificates I'm not fully sure if they are complete/accurate for OSE, have not had time to review, but they should be at least a reference for the manual work involved. https://github.com/openshift/openshift-ansible/pull/1142 aims to address this. Verify this bug with openshift-ansible-3.2.22-1.git.0.7961a61.el7.noarch 1) Run 'ansible-playbook -i ansible_inventory /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml' The certificates of etcd/master/node would be backup and redeployed. CA files would be retained. 2) Run 'ansible-playbook -i ansible_inventory /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml --extra-vars "openshift_certificates_redeploy_ca=true" ' The certificates of etcd/master/node would be backup and redeployed. CA files would also be removed and regenerated by openshift-ansible. 3) With the following options setting in ansible_inventory in addition: openshift_master_ca_certificate={'certfile': '/root/custom_ca/ca.crt', 'keyfile': '/root/custom_ca/ca.key'} openshift_certificates_redeploy_ca=true run 'ansible-playbook -i ansible_inventory /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml' The certificates of etcd/master/node would be backup and redeployed. CA files would also be removed and deployed from the custom files. In all the mentioned cases, etcd, masters and nodes are working well after certs redeployment. All the services are in normal status, nodes are available as before, sti-build testing is successful. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1639 |