Document URL: https://docs.openshift.com/container-platform/4.1/authentication/certificates/api-server.html#add-default-api-server_api-server-certificates Section Number and Name: Add an API server default certificate Add an API server named certificate Describe the issue: If you follow these and replace the API server default certificate or set a named cert for the internal master api url you will break your cluster unless you add the CA that signed that cert to the cluster first. I believe to add the CA it would go would go here: # oc get -n kube-system cm root-ca --template='{{index .data "ca.crt"}}' This however will trigger a rolling restart of the node and other objects. Suggestions for improvement: - Add warning that if this is change and the ca is not part of trust then your cluster will break. - Steps to recover - Add steps on adding to your root trust before following these steps. - Add warning that updating the ca trust for the cluster will trigger restarts for all hosts. - Add warning that when adding API server named certificate that you should not set this for the internal openshift master api hostname - How do you confirm what that "internal openshift master api hostname" is? - I think its this but this likely should not be overwriten with a cert. What are the steps needed to add a public url and then add you namedcert for to the master api. $ cluster-info Kubernetes master is running at https://api.master.openshift.com:6443
This is being addressed by https://github.com/openshift/openshift-docs/pull/15642 , where the instructions for defining a default certificate are removed, and a warning is added to the named certificate section.
This content has been merged and cherry-picked. Note that the functionality is being removed in the associated BZ https://bugzilla.redhat.com/show_bug.cgi?id=1720770 . The section on adding a default certificate to the API server should be removed in an upcoming build of the documentation. Setting to RELEASE_PENDING.
Content is now visible in the published documentation at https://docs.openshift.com/container-platform/4.1/authentication/certificates/api-server.html . Closing this issue.