1373032 – [DOCS] [3.3] Document the support for re-deploying certificates

Bug 1373032 - [DOCS] [3.3] Document the support for re-deploying certificates

Summary: [DOCS] [3.3] Document the support for re-deploying certificates

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Documentation
Sub Component:
Version:	3.3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Ashley Hardin
QA Contact:	Gaoyun Pei
Docs Contact:	Vikram Goyal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-09-05 00:00 UTC by Vikram Goyal
Modified:	2017-03-08 18:26 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-09-27 20:37:35 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Vikram Goyal 2016-09-05 00:00:31 UTC

Document:

* How to run the redeploy playbook and explain which certificates will be replaced.
* Variables that must be provided to use custom CA.

Eng Card: https://trello.com/c/NsT6f1HL/38-5-atomic-openshift-installer-support-for-redeploying-certificates

Comment 1 Ashley Hardin 2016-09-06 20:35:13 UTC

@abutcher, 
Can you please offer some guidance as to what variables, etc. I should document here? Thanks!

Comment 2 Andrew Butcher 2016-09-12 19:51:55 UTC

PR: https://github.com/openshift/openshift-ansible/pull/1142

WARNING: This playbook must be ran with an inventory that is representative of the cluster, ie. the inventory must specify/override all hostnames and IP addresses set via openshift_hostname, openshift_public_hostname, openshift_ip, openshift_public_ip, openshift_master_cluster_hostname, or openshift_master_cluster_public_hostname such that they match the current cluster configuration.

Running the certificate redeploy playbook will redeploy OpenShift certificates which exist on systems (master, node, etcd).

By default, the redeploy playbook will _not_ redeploy the OpenShift CA. New certificates will be created using the original OpenShift CA.

ansible-playbook -i <inventory> playbooks/byo/openshift-cluster/redeploy-certificates.yml

To redeploy all certificates including the OpenShift CA, specify "openshift_certificates_redeploy_ca=true". All pods using service accounts to communicate with the OpenShift API must be redeployed when the OpenShift CA is replaced so the certificate redeploy playbook will serially evacuate all nodes in the cluster when this variable is set.

ansible-playbook -i <inventory> playbooks/byo/openshift-cluster/redeploy-certificates.yml --extra-vars "openshift_certificates_redeploy_ca=true"

Comment 3 Ashley Hardin 2016-09-14 18:29:02 UTC

Work in progress: https://github.com/openshift/openshift-docs/pull/2843

Comment 4 Gaoyun Pei 2016-09-18 09:15:30 UTC

https://github.com/openshift/openshift-docs/pull/2843 looks good to me, move this bug to verified, thanks!

Comment 5 openshift-github-bot 2016-09-19 11:22:02 UTC

Commits pushed to master at https://github.com/openshift/openshift-docs

https://github.com/openshift/openshift-docs/commit/27f6d9903b87364cd017b5dc887402fb371956c5
Bug 1373032, added a new Redeploying Certificates topic

https://github.com/openshift/openshift-docs/commit/b371c2f4adaffe35e64a0cdf8e0233485e2c377c
Merge pull request #2843 from ahardin-rh/redeploying-certs

Bug 1373032, added a new Redeploying Certificates topic

Comment 6 Ashley Hardin 2016-09-27 20:37:35 UTC

Content is now published:
 https://access.redhat.com/documentation/en/openshift-container-platform/3.3/paged/installation-and-configuration/chapter-11-redeploying-certificates

Note You need to log in before you can comment on or make changes to this bug.