Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1719989

Summary: [DOCS] Changing API server default certificate will break cluster if steps are followed.
Product: OpenShift Container Platform Reporter: Ryan Howe <rhowe>
Component: DocumentationAssignee: Christian Huffman <chuffman>
Status: CLOSED CURRENTRELEASE QA Contact: Chuan Yu <chuyu>
Severity: high Docs Contact: Vikram Goyal <vigoyal>
Priority: high    
Version: 4.1.0CC: aos-bugs, jokerman, mmccomas
Target Milestone: ---   
Target Release: 4.1.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-22 20:26:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ryan Howe 2019-06-12 21:39:06 UTC 
Document URL: 
https://docs.openshift.com/container-platform/4.1/authentication/certificates/api-server.html#add-default-api-server_api-server-certificates

Section Number and Name: 

    Add an API server default certificate
    Add an API server named certificate

Describe the issue: 

If you follow these and replace the API server default certificate or set a named cert for the internal master api url you will break your cluster unless you add the CA  that signed that cert to the cluster first. 

I believe to add the CA it would go would go here: 

#  oc get -n kube-system cm root-ca --template='{{index .data "ca.crt"}}'

This however will trigger a rolling restart of the node and other objects. 


Suggestions for improvement: 


- Add warning that if this is change and the ca is not part of trust then your cluster will break. 
        - Steps to recover 

- Add steps on adding to your root trust before following these steps. 
     - Add warning that updating the ca trust for the cluster will trigger restarts for all hosts.
 
- Add warning that when adding API server named certificate that you should not set this for the internal openshift master api hostname
   - How do you confirm what that "internal openshift master api hostname" is?
      - I think its this but this likely should not be overwriten with a cert. What are the steps needed to add a public url and then add you namedcert for to the master api.  
                
        $ cluster-info 
        Kubernetes master is running at https://api.master.openshift.com:6443
Comment 1 Christian Huffman 2019-07-10 19:49:30 UTC 
This is being addressed by https://github.com/openshift/openshift-docs/pull/15642 , where the instructions for defining a default certificate are removed, and a warning is added to the named certificate section.
Comment 2 Christian Huffman 2019-07-11 18:22:17 UTC 
This content has been merged and cherry-picked. Note that the functionality is being removed in the associated BZ https://bugzilla.redhat.com/show_bug.cgi?id=1720770 .

The section on adding a default certificate to the API server should be removed in an upcoming build of the documentation. Setting to RELEASE_PENDING.
Comment 3 Christian Huffman 2019-07-22 20:26:46 UTC 
Content is now visible in the published documentation at https://docs.openshift.com/container-platform/4.1/authentication/certificates/api-server.html . 

Closing this issue.