[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Advice installing new custom master API certificates



I have a cluster running with let's encrypt/certbot generated certificates. The corresponding “fullchain.pem" and “privkey.pem" files are in /home/centos and the corresponding section of my inventory.yaml looks like this: -

        openshift_master_overwrite_named_certificates: true
        openshift_master_named_certificates: [
           { 'certfile': "/home/centos/fullchain.pem",
             'keyfile': "/home/centos/privkey.pem" }
       ]

That’s all working fine.

Now I have the following set of custom certificate files: -

- cert.crt
- ca-bundle.crt
- private.key

What do I need to do to replace the existing set of let’s encrypt certificates with these new custom files?

I’m struggling with the 3.11 documentation on the matter (https://docs.openshift.com/container-platform/3.11/install_config/certificate_customization.html). I think (in the "Retrofit Custom Master Certificates into a Cluster” section) it is telling me to adjust my inventory to look like this: -

        openshift_master_overwrite_named_certificates: true
        openshift_master_named_certificates: [
            { 'certfile': "/home/centos/cert.crt”,
              ‘cafile': "/home/centos/ca-bundle.crt",
              'keyfile': "/home/centos/private.key",
              'names': ["okd.xchem.diamond.ac.uk"] }
        ]
   
And then, run the “redeploy-certificates.yml” playbook.

But it then goes on to talk about adjusting the master-config.yaml (step 4) but doesn’t go into any specifics about what actually needs to be done. Is this editing not part of the playbook tasks referred to above (in step 3 of the documentation)?

The guide also talks about concatenating the certificate file. Do I need to concatenate the “cert" and "ca-bandle" files? If so do I need to specify the ‘cafile' in the inventory?

As a short-cut could I just go to the /etc/origin/master/named_certificates directory, replace the files and then bounce the API and CONTROLLERS processes?

It all gets a bit foggy.

Can someone explain the essential steps for me please?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]