Skip to content

Correct the steps for redeploying router certificates #13941

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
huffmanca merged 1 commit into from
Apr 11, 2019
Merged

Correct the steps for redeploying router certificates #13941

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 18 additions & 12 deletions install_config/redeploying_certificates.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -577,13 +577,7 @@ $ oc rollout latest dc/docker-registry
[[redeploying-router-certificates-manually]]
==== Redeploying Router Certificates Manually

When routers are initially deployed, an annotation is added to the router's
service that automatically creates a
xref:../dev_guide/secrets.adoc#service-serving-certificate-secrets[service serving certificate secret].

To redeploy router certificates manually, that service serving certificate can
be triggered to be recreated by deleting the secret, removing and re-adding
annotations to the `router` service, then redeploying the router:
To redeploy router certificates manually, you must add new router certificates to a secret named `router-certs`, then redeploy the router:

. Switch to the `default` project for the remainder of these steps:
+
Expand Down Expand Up @@ -688,6 +682,18 @@ $ oc create secret tls router-certs --cert=router.pem \ <1>
<1> *_router.pem_* is the file that contains the concatenation of the
certificates that you generated.

. Redeploy the router:
+
----
$ oc rollout latest dc/router
----
+
When routers are initially deployed, an annotation is added to the router's
service that automatically creates a
xref:../dev_guide/secrets.adoc#service-serving-certificate-secrets[service serving certificate secret] named `router-metrics-tls`.
+
To redeploy `router-metrics-tls` certificates manually, that service serving certificate can be triggered to be recreated by deleting the secret, removing and re-adding annotations to the router service, then redeploying the `router-metrics-tls` secret:
Copy link

@lihongan lihongan Mar 4, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

... can be triggered to be recreated by removing annotations to the router service, deleting the secret and re-adding annotations to the router service, I think the secret should be deleted after removing the annotation, otherwise it will be recreated immediately.

Copy link

@lihongan lihongan Mar 4, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Line 708: service.alpha.openshift.io/serving-cert-signed-by- this annotation should not be removed.

Copy link

@lihongan lihongan Mar 4, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

others LGTM, thanks

Copy link
Member Author

@bysnupy bysnupy Mar 4, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your review and kind correction @lihongan,

You're right. I changed the sequence of the steps as you mentioned. (removing secret step is after removing annotation step)

And I think it had better to remove service.alpha.openshift.io/serving-cert-signed-by annotation at same time. The annotation also added automatically with the current OpenShift CA signer value, when it is added service.alpha.openshift.io/serving-cert-secret-name again. For example, if new CA is deployed before the router certs deploying work, it can cause not matching CA issue with new CA, because the service.alpha.openshift.io/serving-cert-signed-by's value is old or different with new CA signer value.

Copy link

@lihongan lihongan Mar 4, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That make sense. Thank you @bysnupy


. Remove the following annotations from the `router` service:
+
----
Expand All @@ -696,15 +702,15 @@ $ oc annotate service router \
service.alpha.openshift.io/serving-cert-signed-by-
----

. Re-add the annotations:
. Remove the existing `router-metrics-tls` secret.
+
----
$ oc annotate service router \
service.alpha.openshift.io/serving-cert-secret-name=router-certs
$ oc delete secret router-metrics-tls
----

. Redeploy the router:
. Re-add the annotations:
+
----
$ oc rollout latest dc/router
$ oc annotate service router \
service.alpha.openshift.io/serving-cert-secret-name=router-metrics-tls
----