Skip to content

[enterprise-3.11] Correct the steps for redeploying router certificates #14419

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
huffmanca merged 1 commit into from
Apr 11, 2019
Merged

[enterprise-3.11] Correct the steps for redeploying router certificates #14419

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 18 additions & 12 deletions install_config/redeploying_certificates.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -582,13 +582,7 @@ $ oc rollout latest dc/docker-registry
[[redeploying-router-certificates-manually]]
==== Redeploying Router Certificates Manually

When routers are initially deployed, an annotation is added to the router's
service that automatically creates a
xref:../dev_guide/secrets.adoc#service-serving-certificate-secrets[service serving certificate secret].

To redeploy router certificates manually, that service serving certificate can
be triggered to be recreated by deleting the secret, removing and re-adding
annotations to the `router` service, then redeploying the router:
To redeploy router certificates manually, you must add new router certificates to a secret named `router-certs`, then redeploy the router:

. Switch to the `default` project for the remainder of these steps:
+
Expand Down Expand Up @@ -693,6 +687,18 @@ $ oc create secret tls router-certs --cert=router.pem \ <1>
<1> *_router.pem_* is the file that contains the concatenation of the
certificates that you generated.

. Redeploy the router:
+
----
$ oc rollout latest dc/router
----
+
When routers are initially deployed, an annotation is added to the router's
service that automatically creates a
xref:../dev_guide/secrets.adoc#service-serving-certificate-secrets[service serving certificate secret] named `router-metrics-tls`.
+
To redeploy `router-metrics-tls` certificates manually, that service serving certificate can be triggered to be recreated by deleting the secret, removing and re-adding annotations to the router service, then redeploying the `router-metrics-tls` secret:

. Remove the following annotations from the `router` service:
+
----
Expand All @@ -701,15 +707,15 @@ $ oc annotate service router \
service.alpha.openshift.io/serving-cert-signed-by-
----

. Re-add the annotations:
. Remove the existing `router-metrics-tls` secret.
+
----
$ oc annotate service router \
service.alpha.openshift.io/serving-cert-secret-name=router-certs
$ oc delete secret router-metrics-tls
----

. Redeploy the router:
. Re-add the annotations:
+
----
$ oc rollout latest dc/router
$ oc annotate service router \
service.alpha.openshift.io/serving-cert-secret-name=router-metrics-tls
----