From b30d01c562c3600068851d7e9606ce38400e715b Mon Sep 17 00:00:00 2001
From: Daein Park <bysnupy@hotmail.com>
Date: Sun, 3 Mar 2019 23:59:31 +0900
Subject: [PATCH] Correct the steps for redeploying router certificates

"router-metrics-tls" secret should be service serving certificates secret. "router-certs" secret is using as wild card certificates and not service serving certificates secret.

- Fix: https://bugzilla.redhat.com/show_bug.cgi?id=1672011
---
 install_config/redeploying_certificates.adoc | 30 ++++++++++++--------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/install_config/redeploying_certificates.adoc b/install_config/redeploying_certificates.adoc
index ef11e1f5c548..006e0f1669f0 100644
--- a/install_config/redeploying_certificates.adoc
+++ b/install_config/redeploying_certificates.adoc
@@ -589,13 +589,7 @@ $ oc rollout latest dc/docker-registry
 [[redeploying-router-certificates-manually]]
 ==== Redeploying Router Certificates Manually
 
-When routers are initially deployed, an annotation is added to the router's
-service that automatically creates a
-xref:../dev_guide/secrets.adoc#service-serving-certificate-secrets[service serving certificate secret].
-
-To redeploy router certificates manually, that service serving certificate can
-be triggered to be recreated by deleting the secret, removing and re-adding
-annotations to the `router` service, then redeploying the router:
+To redeploy router certificates manually, you must add new router certificates to a secret named `router-certs`, then redeploy the router:
 
 . Switch to the `default` project for the remainder of these steps:
 +
@@ -700,6 +694,18 @@ $ oc create secret tls router-certs --cert=router.pem \ <1>
 <1> *_router.pem_* is the file that contains the concatenation of the
 certificates that you generated.
 
+. Redeploy the router:
++
+----
+$ oc rollout latest dc/router
+----
++
+When routers are initially deployed, an annotation is added to the router's
+service that automatically creates a
+xref:../dev_guide/secrets.adoc#service-serving-certificate-secrets[service serving certificate secret] named `router-metrics-tls`.
++
+To redeploy `router-metrics-tls` certificates manually, that service serving certificate can be triggered to be recreated by deleting the secret, removing and re-adding annotations to the router service, then redeploying the `router-metrics-tls` secret:
+
 . Remove the following annotations from the `router` service:
 +
 ----
@@ -708,15 +714,15 @@ $ oc annotate service router \
     service.alpha.openshift.io/serving-cert-signed-by-
 ----
 
-. Re-add the annotations:
+. Remove the existing `router-metrics-tls` secret.
 +
 ----
-$ oc annotate service router \
-    service.alpha.openshift.io/serving-cert-secret-name=router-certs
+$ oc delete secret router-metrics-tls
 ----
 
-. Redeploy the router:
+. Re-add the annotations:
 +
 ----
-$ oc rollout latest dc/router
+$ oc annotate service router \
+    service.alpha.openshift.io/serving-cert-secret-name=router-metrics-tls
 ----