Bug 1529522

Document URL: 
- https://docs.openshift.com/container-platform/3.5/admin_guide/backup_restore.html#cluster-backup
- https://docs.openshift.com/container-platform/3.6/admin_guide/backup_restore.html#etcd-backup
- https://docs.openshift.com/container-platform/3.7/admin_guide/backup_restore.html#etcd-backup

Section Number and Name: 
1) Cluster Backup -> Etcd Backup
2) Adding New etcd Hosts -> Generate the required certificates for the new host. On a surviving etcd host:
    Make a backup of the /etc/etcd/ca/ directory.


Describe the issue: 
ad1) 
I think we should mention here as well to back up /etc/etcd/ca/ on the first master (as this is the only one having the ca), on other masters this is empty. Without the CA it is neither possible to add new nodes nor to recover a master. Especially as CA is only on the first master it is important to have a backup of the CA. Although the CA and certs can be regenerated that causes as (short) outage which is bad for heavily used clusters and could be avoided if a backup of CA is available.

ad2)
add that this needs to be done on the (first) master as only this one is holding the CA needed to (re)generate certs for reinstalled or new masters. On other masters this dir is empty and therefor not of much use

Suggestions for improvement: 
ad1) 
as outlined, mention that the CA folder (/etc/etcd/ca/) need to be backed up as well on the master where certs have been generated by installer so we avoid customer just blindly  running backup just to find they do not hold info, especially as we state that running the procedure on one master is sufficient

ad2) 
mention that this backup needs to be run on the master that has actually the CA in the dir 

Additional information: 
- Overall, if I recall correctly, redeploy plabook places CA then on all nodes, and I think this is te right way and will open a bz against installer to do that during install as well