Description of problem: As per, https://docs.openshift.com/container-platform/3.10/install_config/redeploying_certificates.html#redeploying-node-certificates The redeploy certificate playbook for node seems to be missing. # ls /usr/share/ansible/openshift-ansible/playbooks/openshift-node/redeploy-certificates.yml ls: cannot access /usr/share/ansible/openshift-ansible/playbooks/openshift-node/redeploy-certificates.yml: No such file or directory I don't see this playbook in 3.11 repository as well. Version-Release number of the following components: openshift-ansible-3.10.47-1.git.0.95bc2d2.el7_5.noarch
In 3.10 and 3.11 nodes will automatically generate new certificate signing requests starting at 80% of their certificate's lifespan. Once the CSRs are created they can be approved via the API. This part of the product is owned by the Auth team so I'm moving this there so they can coordinate with the docs team to amend our certificate management documentation to account for this.
Moving to docs for prioritization.
@erica not sure if this is for docs or installer/configuration. Redeploying nodes certificates is a common task and without such playbook all the tasks are manual: - stopping services - delete node.kubeconfig/certificates - starting services - signing csr
Docs bug filed: https://bugzilla.redhat.com/show_bug.cgi?id=1652649 To redeploy client and server certs run the following: # rm -f /etc/origin/node/certificate # systemctl restart atomic-openshift-node Approve the requests: # oc get csr -o name | xargs oc adm certificate approve Bootstrap.kubeconfig does not get updated via playbooks or above steps.
*** Bug 1652649 has been marked as a duplicate of this bug. ***
For steps to manually create the node certificates 3.10+ see KCS: https://access.redhat.com/solutions/3782361
OCP 3.6-3.10 is no longer on full support [1]. Marking un-triaged bugs CLOSED DEFERRED. If you have a customer case with a support exception or have reproduced on 3.11+, please reopen and include those details. When reopening, please set the Version to the appropriate version where reproduced. [1]: https://access.redhat.com/support/policy/updates/openshift
I can understand that the product is out of full support but are we still sending wrong instructions in the documentation? This bugzilla is about mentioning a non-existing playbook in the documentation. If you read the description you will see that the documentation says > The openshift-node/redeploy-certificates.yml playbook only redeploys node certificates. This also include serial restarts of node services. > >To redeploy node certificates, run this playbook, specifying your inventory file: > >$ ansible-playbook -i <inventory_file> \ > /usr/share/ansible/openshift-ansible/playbooks/openshift-node/redeploy-certificates.yml while in 3.10 that playbook is gone and redeploying certificates for nodes is done by bootstraping the node again. I'd ask you to re-consider if this bugzilla should be closed or not (IMHO it should be fixed). If not, please add a disclaimer on every single page saying that the documentation is outdated, not actively maintained and that it can contain wrong instructions so customers can be aware of that.
(In reply to Sergio G. from comment #11) > I can understand that the product is out of full support but are we still > sending wrong instructions in the documentation? > > This bugzilla is about mentioning a non-existing playbook in the > documentation. If you read the description you will see that the > documentation says > > > The openshift-node/redeploy-certificates.yml playbook only redeploys node certificates. This also include serial restarts of node services. > > > >To redeploy node certificates, run this playbook, specifying your inventory file: > > > >$ ansible-playbook -i <inventory_file> \ > > /usr/share/ansible/openshift-ansible/playbooks/openshift-node/redeploy-certificates.yml > > while in 3.10 that playbook is gone and redeploying certificates for nodes > is done by bootstraping the node again. > > I'd ask you to re-consider if this bugzilla should be closed or not (IMHO it > should be fixed). If not, please add a disclaimer on every single page > saying that the documentation is outdated, not actively maintained and that > it can contain wrong instructions so customers can be aware of that. Hi Sergio, That is indeed the plan. After Thanksgiving, we will be archiving these docs.
Submitted PR: https://github.com/openshift/openshift-docs/pull/18520 @Ryan Howe - can you please review based on our discussion earlier today? Thanks!
LGTM, thanks.
Thanks @Gaoyun Pei! PRs have been merged.
Changes are live: * https://docs.openshift.com/container-platform/3.10/install_config/redeploying_certificates.html#redeploying-node-certificates * https://docs.openshift.com/container-platform/3.11/install_config/redeploying_certificates.html#redeploying-node-certificates
*** Bug 1656250 has been marked as a duplicate of this bug. ***
*** Bug 1683797 has been marked as a duplicate of this bug. ***
*** Bug 1775314 has been marked as a duplicate of this bug. ***
*** Bug 1694451 has been marked as a duplicate of this bug. ***