Use the following playbooks to redeploy master, etcd, node, registry, and router
certificates on all relevant hosts. You can redeploy all of them at once using
the current CA, redeploy certificates for specific components only, or redeploy
a newly generated or custom CA on its own.
Just like the certificate expiry playbooks, these playbooks must be run with an
inventory file that is representative of the cluster.
In particular, the inventory must specify or override all host names and IP
addresses set via the following variables such that they match the current
cluster configuration:
-
openshift_hostname
-
openshift_public_hostname
-
openshift_ip
-
openshift_public_ip
-
openshift_master_cluster_hostname
-
openshift_master_cluster_public_hostname
Redeploying All Certificates Using the Current CA
The redeploy-certificates.yml playbook does not regenerate the
OpenShift Origin CA certificate. New master, etcd, node, registry, and router
certificates are created using the current CA certificate to sign new
certificates.
This also includes serial restarts of:
-
etcd
-
master services
-
node services
To redeploy master, etcd, and node certificates using the current
OpenShift Origin CA, run this playbook, specifying your inventory file:
$ ansible-playbook -i <inventory_file> \
/usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml
Redeploying a New or Custom CA
The redeploy-openshift-ca.yml playbook redeploys the OpenShift Origin CA
certificate by generating a new CA certificate and distributing an updated
bundle to all components including client kubeconfig files and the node’s
database of trusted CAs (the CA-trust).
This also includes serial restarts of:
-
etcd
-
master services
-
node services
-
docker
Additionally, you can specify a
custom CA certificate when redeploying certificates instead of relying on a CA
generated by OpenShift Origin.
When the master services are restarted, the registry and routers can continue to
communicate with the master without being redeployed because the master’s
serving certificate is the same, and the CA the registry and routers have are
still valid.
To redeploy a newly generated or custom CA:
-
If you want to use a custom CA, set the following variable in your inventory
file:
# Configure custom ca certificate
# NOTE: CA certificate will not be replaced with existing clusters.
# This option may only be specified when creating a new cluster or
# when redeploying cluster certificates with the redeploy-certificates
# playbook.
openshift_master_ca_certificate={'certfile': '</path/to/ca.crt>', 'keyfile': '</path/to/ca.key>'}
If you do not set the above, then the current CA will be regenerated in the next
step.
-
Run the redeploy-openshift-ca.yml playbook, specifying your inventory file:
$ ansible-playbook -i <inventory_file> \
/usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-openshift-ca.yml
With the new CA in place, you can then use the
redeploy-certificates.yml playbook at your discretion whenever you want to redeploy certificates signed
by the new CA on all components.
Redeploying Master Certificates Only
The redeploy-master-certificates.yml playbook only redeploys master
certificates. This also includes serial restarts of master services.
To redeploy master certificates, run this playbook, specifying your inventory
file:
$ ansible-playbook -i <inventory_file> \
/usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-master-certificates.yml
Redeploying etcd Certificates Only
The redeploy-etcd-certificates.yml playbook only redeploys etcd certificates
including master client certificates.
This also include serial restarts of:
To redeploy etcd certificates, run this playbook, specifying your inventory
file:
$ ansible-playbook -i <inventory_file> \
/usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-etcd-certificates.yml
Redeploying Node Certificates Only
The redeploy-node-certificates.yml playbook only redeploys node
certificates. This also include serial restarts of node services.
To redeploy node certificates, run this playbook, specifying your inventory
file:
$ ansible-playbook -i <inventory_file> \
/usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-node-certificates.yml
Redeploying Registry or Router Certificates Only
The redeploy-registry-certificates.yml and
redeploy-router-certificates.yml playbooks replace installer-created
certificates for the registry and router. If custom certificates are in use for
these components, see
Redeploying Custom
Registry or Router Certificates to replace them manually.
Redeploying Registry Certificates Only
To redeploy registry certificates, run the following playbook, specifying your
inventory file:
$ ansible-playbook -i <inventory_file> \
/usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-registry-certificates.yml
Redeploying Router Certificates Only
To redeploy router certificates, run the following playbook, specifying your
inventory file:
$ ansible-playbook -i <inventory_file> \
/usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-router-certificates.yml
Redeploying Custom Registry or Router Certificates
When nodes are evacuated due to a redeployed CA, registry and router pods are
restarted. If the registry and router certificates were not also redeployed with
the new CA, this can cause outages because they cannot reach the masters using
their old certificates.
The playbooks for redeploying certificates cannot redeploy custom registry or
router certificates, so to address this issue, you can manually redeploy the
registry and router certificates.
Redeploying Registry Certificates Manually
To redeploy registry certificates manually, you must add new registry
certificates to a secret named registry-certificates
, then redeploy the
registry:
-
Switch to the default
project for the remainder of these steps:
-
If your registry was initially created on OpenShift Origin 3.1 or earlier, it may
still be using environment variables to store certificates (which has been
deprecated in favor of using secrets).
-
Run the following and look for the
OPENSHIFT_CA_DATA
, OPENSHIFT_CERT_DATA
, OPENSHIFT_KEY_DATA
environment
variables:
$ oc env dc/docker-registry --list
-
If they do not exist, skip this step. If they do, create the following ClusterRoleBinding
:
$ cat <<EOF |
apiVersion: v1
groupNames: null
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: registry-registry-role
roleRef:
kind: ClusterRole
name: system:registry
subjects:
- kind: ServiceAccount
name: registry
namespace: default
userNames:
- system:serviceaccount:default:registry
EOF
oc create -f -
Then, run the following to remove the environment variables:
$ oc env dc/docker-registry OPENSHIFT_CA_DATA- OPENSHIFT_CERT_DATA- OPENSHIFT_KEY_DATA- OPENSHIFT_MASTER-
-
Set the following environment variables locally to make later commands less
complex:
$ REGISTRY_IP=`oc get service docker-registry -o jsonpath='{.spec.clusterIP}'`
$ REGISTRY_HOSTNAME=`oc get route/docker-registry -o jsonpath='{.spec.host}'`
-
Create new registry certificates:
$ oc adm ca create-server-cert \
--signer-cert=/etc/origin/master/ca.crt \
--signer-key=/etc/origin/master/ca.key \
--hostnames=$REGISTRY_IP,docker-registry.default.svc.cluster.local,$REGISTRY_HOSTNAME \
--cert=/etc/origin/master/registry.crt \
--key=/etc/origin/master/registry.key \
--signer-serial=/etc/origin/master/ca.serial.txt
-
Update the registry-certificates
secret with the new registry certificates:
$ oc secret new registry-certificates \
/etc/origin/master/registry.crt \
/etc/origin/master/registry.key \
-o json | oc replace -f -
-
Redeploy the registry:
$ oc deploy dc/docker-registry --latest
Redeploying Router Certificates Manually
To redeploy router certificates manually, that service serving certificate can
be triggered to be recreated by deleting the secret, removing and re-adding
annotations to the router
service, then redeploying the router:
-
Switch to the default
project for the remainder of these steps:
-
If your router was initially created on OpenShift Origin 3.1 or earlier, it may
still be using environment variables to store certificates (which has been
deprecated in favor of using service serving certificate secret).
-
Run the following and look for the
OPENSHIFT_CA_DATA
, OPENSHIFT_CERT_DATA
, OPENSHIFT_KEY_DATA
environment
variables:
$ oc env dc/router --list
-
If they do not exist, skip this step. If they do, create the following ClusterRoleBinding
:
$ cat <<EOF |
apiVersion: v1
groupNames: null
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: router-router-role
roleRef:
kind: ClusterRole
name: system:router
subjects:
- kind: ServiceAccount
name: router
namespace: default
userNames:
- system:serviceaccount:default:router
EOF
oc create -f -
Then, run the following to remove the environment variables:
$ oc env dc/router OPENSHIFT_CA_DATA- OPENSHIFT_CERT_DATA- OPENSHIFT_KEY_DATA- OPENSHIFT_MASTER-
-
Delete the router-certs
secret:
$ oc delete secret router-certs
-
Remove the following annotations from the router
service:
$ oc annotate service router \
service.alpha.openshift.io/serving-cert-secret-name- \
service.alpha.openshift.io/serving-cert-signed-by-
-
Re-add the annotations:
$ oc annotate service router \
service.alpha.openshift.io/serving-cert-secret-name=router-certs
-
Redeploy the router:
$ oc deploy dc/router --latest