Bug 1373032

Summary: [DOCS] [3.3] Document the support for re-deploying certificates
Product: OpenShift Container Platform Reporter: Vikram Goyal <vigoyal>
Component: DocumentationAssignee: Ashley Hardin <ahardin>
Status: CLOSED CURRENTRELEASE QA Contact: Gaoyun Pei <gpei>
Severity: medium Docs Contact: Vikram Goyal <vigoyal>
Priority: medium    
Version: 3.3.0CC: abutcher, aos-bugs, jokerman, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-27 20:37:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Vikram Goyal 2016-09-05 00:00:31 UTC 
Document:

* How to run the redeploy playbook and explain which certificates will be replaced.
* Variables that must be provided to use custom CA.

Eng Card: https://trello.com/c/NsT6f1HL/38-5-atomic-openshift-installer-support-for-redeploying-certificates
Comment 1 Ashley Hardin 2016-09-06 20:35:13 UTC 
@abutcher, 
Can you please offer some guidance as to what variables, etc. I should document here? Thanks!
Comment 2 Andrew Butcher 2016-09-12 19:51:55 UTC 
PR: https://github.com/openshift/openshift-ansible/pull/1142

WARNING: This playbook must be ran with an inventory that is representative of the cluster, ie. the inventory must specify/override all hostnames and IP addresses set via openshift_hostname, openshift_public_hostname, openshift_ip, openshift_public_ip, openshift_master_cluster_hostname, or openshift_master_cluster_public_hostname such that they match the current cluster configuration.

Running the certificate redeploy playbook will redeploy OpenShift certificates which exist on systems (master, node, etcd).

By default, the redeploy playbook will _not_ redeploy the OpenShift CA. New certificates will be created using the original OpenShift CA.

ansible-playbook -i <inventory> playbooks/byo/openshift-cluster/redeploy-certificates.yml

To redeploy all certificates including the OpenShift CA, specify "openshift_certificates_redeploy_ca=true". All pods using service accounts to communicate with the OpenShift API must be redeployed when the OpenShift CA is replaced so the certificate redeploy playbook will serially evacuate all nodes in the cluster when this variable is set.

ansible-playbook -i <inventory> playbooks/byo/openshift-cluster/redeploy-certificates.yml --extra-vars "openshift_certificates_redeploy_ca=true"
Comment 3 Ashley Hardin 2016-09-14 18:29:02 UTC 
Work in progress: https://github.com/openshift/openshift-docs/pull/2843
Comment 4 Gaoyun Pei 2016-09-18 09:15:30 UTC 
https://github.com/openshift/openshift-docs/pull/2843 looks good to me, move this bug to verified, thanks!
Comment 5 openshift-github-bot 2016-09-19 11:22:02 UTC 
Commits pushed to master at https://github.com/openshift/openshift-docs

https://github.com/openshift/openshift-docs/commit/27f6d9903b87364cd017b5dc887402fb371956c5
Bug 1373032, added a new Redeploying Certificates topic

https://github.com/openshift/openshift-docs/commit/b371c2f4adaffe35e64a0cdf8e0233485e2c377c
Merge pull request #2843 from ahardin-rh/redeploying-certs

Bug 1373032, added a new Redeploying Certificates topic
Comment 6 Ashley Hardin 2016-09-27 20:37:35 UTC 
Content is now published:
 https://access.redhat.com/documentation/en/openshift-container-platform/3.3/paged/installation-and-configuration/chapter-11-redeploying-certificates