Bug 1397996

Summary: [DOCS] Custom Certificate Configuration Locations Not Precise
Product: OpenShift Container Platform Reporter: Steven Walter <stwalter>
Component: DocumentationAssignee: Brandi Munilla <bmcelvee>
Status: CLOSED CURRENTRELEASE QA Contact: Steven Walter <stwalter>
Severity: unspecified Docs Contact: Vikram Goyal <vigoyal>
Priority: unspecified    
Version: 3.3.0CC: aos-bugs, erich, jokerman, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-01 16:00:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Steven Walter 2016-11-23 19:00:10 UTC 
Document URL: 
https://docs.openshift.com/container-platform/3.3/install_config/certificate_customization.html


Section Number and Name: 
Configuring Custom Certificates


Describe the issue: 
This sentence is not precise:

""The namedCertificates section may be listed in the servingInfo and assetConfig.servingInfo sections of the master configuration file or in the servingInfo section of the node configuration file.""


Does this mean 

(servingInfo[master] AND assetConfig.servingInfo[master]) OR servingInfo[node]

or does it mean

servingInfo[master] OR assetConfig.servingInfo[master] OR servingInfo[node]

or does it mean

(servingInfo[master] OR assetConfig.servingInfo[master]) XOR servingInfo[node]

or does it mean

(servingInfo[master] AND assetConfig.servingInfo[master]) XOR servingInfo[node]


I can't tell if the 'and' in 'servingInfo and assetConfig.servingInfo' is meant to be a list of options, or a logical && statement, because it says "may be listed" not "should be listed". In other words its not clear whether its necessary or even ok to list it in multiple places. Similarly, I am not sure if the 'or' in 'or in the servingInfo section of the node configuration file' is meant to be an inclusive 'or', an exclusive 'xor', or if it should possibly even be an 'and'. Furthermore, if it's an xor or an inclusive or, when would you decide to put it in one section(s) versus another section(s)? If it actually does not matter--that is to say, if the information can be placed in any combination of the three locations, to the exact same effect, we should be clear on that.

Suggestions for improvement: 
Use language that guarantees logical certainty. If this requires having multiple examples and explaining what they mean that's fine; if it just means using specific language that is also fine.
Comment 1 Steven Walter 2016-12-13 15:51:08 UTC 
I will work up a PR later today if I get the time. In the meantime I have the answer:

You would place the custom cert configuration in assetConfig.servingInfo to have the custom certificate serve up for the web console. You would place the custom cert configuration in servingInfo to have the custom certificate serve up for the CLI and any other api calls from external (such as custom tooling, but the oc tools are the main focus here).

You can place the configuration in both sections to have the custom certs served up for both forms of communication; otherwise you will still be using the self-signed OpenShift certs for one or the other.
Comment 2 Brandi Munilla 2016-12-13 18:49:53 UTC 
Hi Steven, 

Thank you for your comment. I'm happy to update this section accordingly. 

Thanks again,
Brandi
Comment 3 Brandi Munilla 2016-12-19 20:19:32 UTC 
Hi Steven, 

Please review pull request 3416 [1] for content. 

https://github.com/openshift/openshift-docs/pull/3416

Thanks!
Brandi
Comment 4 Steven Walter 2016-12-19 20:38:42 UTC 
I *think* the difference is not in whether it's placed in master vs node, but which section it's in. The pr has it listed that you put it in both places in the master config for the web console, and both places in the node config for the cli; but my understanding is that it should be:

assetConfig.servingIngo --> web console
servingInfo --> CLI / other api calls

I actually dont know why you would put the named certificates in the node config file
Comment 5 Brandi Munilla 2017-01-20 21:20:10 UTC 
Thank you for the clarification, Steven. I updated the the PR: https://github.com/openshift/openshift-docs/pull/3416/files. Please take a look when you get a chance.

Thanks again!
Comment 6 Steven Walter 2017-01-20 21:24:58 UTC 
(In reply to Brandi from comment #5)

LGTM!
Comment 7 Brandi Munilla 2017-01-23 20:45:15 UTC 
Thanks, Steven!
Comment 8 Brandi Munilla 2017-02-01 16:00:30 UTC 
Configuring Custom Certificates on the Customer Portal: https://access.redhat.com/documentation/en/openshift-container-platform/3.4/single/installation-and-configuration/#configuring-custom-certificates