Hide Forgot
Document URL: https://docs.openshift.com/container-platform/3.3/install_config/certificate_customization.html Section Number and Name: Configuring Custom Certificates Describe the issue: This sentence is not precise: ""The namedCertificates section may be listed in the servingInfo and assetConfig.servingInfo sections of the master configuration file or in the servingInfo section of the node configuration file."" Does this mean (servingInfo[master] AND assetConfig.servingInfo[master]) OR servingInfo[node] or does it mean servingInfo[master] OR assetConfig.servingInfo[master] OR servingInfo[node] or does it mean (servingInfo[master] OR assetConfig.servingInfo[master]) XOR servingInfo[node] or does it mean (servingInfo[master] AND assetConfig.servingInfo[master]) XOR servingInfo[node] I can't tell if the 'and' in 'servingInfo and assetConfig.servingInfo' is meant to be a list of options, or a logical && statement, because it says "may be listed" not "should be listed". In other words its not clear whether its necessary or even ok to list it in multiple places. Similarly, I am not sure if the 'or' in 'or in the servingInfo section of the node configuration file' is meant to be an inclusive 'or', an exclusive 'xor', or if it should possibly even be an 'and'. Furthermore, if it's an xor or an inclusive or, when would you decide to put it in one section(s) versus another section(s)? If it actually does not matter--that is to say, if the information can be placed in any combination of the three locations, to the exact same effect, we should be clear on that. Suggestions for improvement: Use language that guarantees logical certainty. If this requires having multiple examples and explaining what they mean that's fine; if it just means using specific language that is also fine.
I will work up a PR later today if I get the time. In the meantime I have the answer: You would place the custom cert configuration in assetConfig.servingInfo to have the custom certificate serve up for the web console. You would place the custom cert configuration in servingInfo to have the custom certificate serve up for the CLI and any other api calls from external (such as custom tooling, but the oc tools are the main focus here). You can place the configuration in both sections to have the custom certs served up for both forms of communication; otherwise you will still be using the self-signed OpenShift certs for one or the other.
Hi Steven, Thank you for your comment. I'm happy to update this section accordingly. Thanks again, Brandi
Hi Steven, Please review pull request 3416 [1] for content. https://github.com/openshift/openshift-docs/pull/3416 Thanks! Brandi
I *think* the difference is not in whether it's placed in master vs node, but which section it's in. The pr has it listed that you put it in both places in the master config for the web console, and both places in the node config for the cli; but my understanding is that it should be: assetConfig.servingIngo --> web console servingInfo --> CLI / other api calls I actually dont know why you would put the named certificates in the node config file
Thank you for the clarification, Steven. I updated the the PR: https://github.com/openshift/openshift-docs/pull/3416/files. Please take a look when you get a chance. Thanks again!
(In reply to Brandi from comment #5) LGTM!
Thanks, Steven!
Configuring Custom Certificates on the Customer Portal: https://access.redhat.com/documentation/en/openshift-container-platform/3.4/single/installation-and-configuration/#configuring-custom-certificates