Bug 1469704 - [DOCS] No steps on how to add or overwrite router default certificate after deployed [NEEDINFO]
[DOCS] No steps on how to add or overwrite router default certificate after d...
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation (Show other bugs)
Unspecified Unspecified
high Severity medium
: ---
: ---
Assigned To: Michael Burke
Vikram Goyal
Depends On:
  Show dependency treegraph
Reported: 2017-07-11 12:31 EDT by Ryan Howe
Modified: 2017-08-14 14:13 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-08-14 14:13:45 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
mburke: needinfo? (rhowe)

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2650171 None None None 2017-07-11 12:35 EDT

  None (edit)
Description Ryan Howe 2017-07-11 12:31:21 EDT
Document URL: 


Section Number and Name: 

Describe the issue: 

  Steps are missing on how to  manually redeploy the router certs. 

Suggestions for improvement: 
The steps involved can be here in this KCS: 


I have also typed them out again here: 

1. Check to see if a secret containing the router default certs is already added to the router. 

   # oc volumes dc/router
  secret/router-certs as server-certificate
    mounted at /etc/pki/tls/private

  -If this is already configured skip to step 3 and just over write the secret. 

2. Insure that you have a default cert directory set for the following variable DEFAULT_CERTIFICATE_DIR 

   # oc env dc/router --list


2a. If not set set the variable to the following. 

   # oc env dc/router DEFAULT_CERTIFICATE_DIR=/etc/pki/tls/private

3. Overwrite or create a router certs secret. 

   # cat custom-router.crt custom-ca.crt > custom-router.pem 

   A- Overwrite 
   # oc secrets new router-certs tls.crt=custom-router.pem custom-tls.key=router.key \
       -o json --type='kubernetes.io/tls' --confirm | \
   oc replace -f -
   B- Create New 
    # oc secrets new router-certs tls.crt=custom-router.pem custom-tls.key=router.key \
      --type='kubernetes.io/tls' --confirm
    # oc volume dc/router --add --mount-path=/etc/pki/tls/private --secret-name='router-certs' --name router-certs

4. Deploy latest router. 

    # oc deploy router --latest
Comment 1 Michael Burke 2017-07-17 16:56:24 EDT
@ryan Can you look at the PR and see if I added the steps properly at: 
Comment 2 zhaozhanqi 2017-07-24 22:20:07 EDT
hi, Added the comment in the PR 
Comment 3 Michael Burke 2017-07-25 13:40:11 EDT
@Zhao -- I made the changes you suggested in the PR. Also, updated based on Ryan's comment in the PR that `oc deploy router --latest` is deprecated in 3.5 and changed to `oc rollout latest router`.
Comment 4 zhaozhanqi 2017-07-27 21:01:03 EDT
Verified this bug according to above PR 4801
Comment 5 Michael Burke 2017-07-28 00:04:08 EDT
Ryan, this defect is marked 3.5. can the changes roll back to 3.4 and 3.3 also?
Comment 6 openshift-github-bot 2017-07-31 10:45:29 EDT
Commit pushed to master at https://github.com/openshift/openshift-docs

Merge pull request #4801 from mburke5678/mburke-BZ-1469704

BUG 1469704 Add Steps to Manually Redeploy Certs
Comment 7 openshift-github-bot 2017-07-31 10:55:53 EDT
Commit pushed to master at https://github.com/openshift/openshift-docs

Merge pull request #4877 from mburke5678/mburke-BZ-1469704-2

BUG 1469704 changed router deploy command for 3.4 and 3.3
Comment 8 Michael Burke 2017-07-31 11:02:20 EDT
Merged changes into 3.3 and 3.4 in PR:

Merged changes into 3.5 in PR:

Note You need to log in before you can comment on or make changes to this bug.