Bug 1397996 - [DOCS] Custom Certificate Configuration Locations Not Precise
Summary: [DOCS] Custom Certificate Configuration Locations Not Precise
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 3.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Brandi Munilla
QA Contact: Steven Walter
Vikram Goyal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-23 19:00 UTC by Steven Walter
Modified: 2021-03-11 14:49 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-02-01 16:00:59 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Steven Walter 2016-11-23 19:00:10 UTC
Document URL: 
https://docs.openshift.com/container-platform/3.3/install_config/certificate_customization.html


Section Number and Name: 
Configuring Custom Certificates


Describe the issue: 
This sentence is not precise:

""The namedCertificates section may be listed in the servingInfo and assetConfig.servingInfo sections of the master configuration file or in the servingInfo section of the node configuration file.""


Does this mean 

(servingInfo[master] AND assetConfig.servingInfo[master]) OR servingInfo[node]

or does it mean

servingInfo[master] OR assetConfig.servingInfo[master] OR servingInfo[node]

or does it mean

(servingInfo[master] OR assetConfig.servingInfo[master]) XOR servingInfo[node]

or does it mean

(servingInfo[master] AND assetConfig.servingInfo[master]) XOR servingInfo[node]


I can't tell if the 'and' in 'servingInfo and assetConfig.servingInfo' is meant to be a list of options, or a logical && statement, because it says "may be listed" not "should be listed". In other words its not clear whether its necessary or even ok to list it in multiple places. Similarly, I am not sure if the 'or' in 'or in the servingInfo section of the node configuration file' is meant to be an inclusive 'or', an exclusive 'xor', or if it should possibly even be an 'and'. Furthermore, if it's an xor or an inclusive or, when would you decide to put it in one section(s) versus another section(s)? If it actually does not matter--that is to say, if the information can be placed in any combination of the three locations, to the exact same effect, we should be clear on that.

Suggestions for improvement: 
Use language that guarantees logical certainty. If this requires having multiple examples and explaining what they mean that's fine; if it just means using specific language that is also fine.

Comment 1 Steven Walter 2016-12-13 15:51:08 UTC
I will work up a PR later today if I get the time. In the meantime I have the answer:

You would place the custom cert configuration in assetConfig.servingInfo to have the custom certificate serve up for the web console. You would place the custom cert configuration in servingInfo to have the custom certificate serve up for the CLI and any other api calls from external (such as custom tooling, but the oc tools are the main focus here).

You can place the configuration in both sections to have the custom certs served up for both forms of communication; otherwise you will still be using the self-signed OpenShift certs for one or the other.

Comment 2 Brandi Munilla 2016-12-13 18:49:53 UTC
Hi Steven, 

Thank you for your comment. I'm happy to update this section accordingly. 

Thanks again,
Brandi

Comment 3 Brandi Munilla 2016-12-19 20:19:32 UTC
Hi Steven, 

Please review pull request 3416 [1] for content. 

https://github.com/openshift/openshift-docs/pull/3416

Thanks!
Brandi

Comment 4 Steven Walter 2016-12-19 20:38:42 UTC
I *think* the difference is not in whether it's placed in master vs node, but which section it's in. The pr has it listed that you put it in both places in the master config for the web console, and both places in the node config for the cli; but my understanding is that it should be:

assetConfig.servingIngo --> web console
servingInfo --> CLI / other api calls

I actually dont know why you would put the named certificates in the node config file

Comment 5 Brandi Munilla 2017-01-20 21:20:10 UTC
Thank you for the clarification, Steven. I updated the the PR: https://github.com/openshift/openshift-docs/pull/3416/files. Please take a look when you get a chance.

Thanks again!

Comment 6 Steven Walter 2017-01-20 21:24:58 UTC
(In reply to Brandi from comment #5)

LGTM!

Comment 7 Brandi Munilla 2017-01-23 20:45:15 UTC
Thanks, Steven!


Note You need to log in before you can comment on or make changes to this bug.