Bug 1658003 - Document Redeploy of EFK certificates
Summary: Document Redeploy of EFK certificates
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 3.9.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.11.z
Assignee: Michael Burke
QA Contact: Anping Li
Vikram Goyal
Depends On:
TreeView+ depends on / blocked
Reported: 2018-12-11 01:47 UTC by sfu@redhat.com
Modified: 2019-01-02 16:12 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-01-02 16:12:27 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description sfu@redhat.com 2018-12-11 01:47:42 UTC
Description of problem:
Currently we have no playbook or a way to redeploy EFK certificates.

Expected results:
Provide playbook to redeploy cert like other OCP components(master,etcd,registry...)

Comment 1 Jeff Cantrill 2018-12-11 04:01:02 UTC
Closing WONTFIX.  It is possible to rerun ansible which should redeploy with updated certificates.

Comment 2 sfu@redhat.com 2018-12-12 03:23:36 UTC
After rerun the /usr/share/ansible/openshift-ansible/playbooks/openshift-logging/config.yml ansible script, the cert will not update.
such as /etc/elasticsearch/secret/admin-ca   admin-cert in es pod.
the content are same after rerun.

Comment 3 Jeff Cantrill 2018-12-12 04:32:13 UTC
Can you comment about how the certs should be regenerated.

Comment 4 ewolinet 2018-12-12 21:54:03 UTC
You will need to first remove the certificates that are stored on your `oo_first_master` node, they will be in the path {/location/of/your/base/ocp/install}/logging. The ansible role will create new certificates if they do not exist here, it should then go through and recreate the secrets with these new certificates.

Comment 5 Jeff Cantrill 2018-12-13 16:47:04 UTC
Converting to a docs bug so we can identify it properly

Comment 6 Michael Burke 2018-12-13 20:19:58 UTC
@Xiaoli Please take a look.


Note You need to log in before you can comment on or make changes to this bug.