I have a cluster running with let's encrypt/certbot generated certificates. The
corresponding “fullchain.pem" and “privkey.pem" files are in /home/centos and
the corresponding section of my inventory.yaml looks like this: -
openshift_master_overwrite_named_certificates: true
openshift_master_named_certificates: [
{ 'certfile': "/home/centos/fullchain.pem",
'keyfile': "/home/centos/privkey.pem" }
]
That’s all working fine.
Now I have the following set of custom certificate files: -
- cert.crt
- ca-bundle.crt
- private.key
What do I need to do to replace the existing set of let’s encrypt certificates
with these new custom files?
I’m struggling with the 3.11 documentation on the matter
(https://docs.openshift.com/container-platform/3.11/install_config/certificate_customization.html
<https://docs.openshift.com/container-platform/3.11/install_config/certificate_customization.html>).
I think (in the "Retrofit Custom Master Certificates into a Cluster” section)
it is telling me to adjust my inventory to look like this: -
openshift_master_overwrite_named_certificates: true
openshift_master_named_certificates: [
{ 'certfile': "/home/centos/cert.crt”,
‘cafile': "/home/centos/ca-bundle.crt",
'keyfile': "/home/centos/private.key",
'names': ["okd.xchem.diamond.ac.uk"] }
]
And then, run the “redeploy-certificates.yml” playbook.
But it then goes on to talk about adjusting the master-config.yaml (step 4) but
doesn’t go into any specifics about what actually needs to be done. Is this
editing not part of the playbook tasks referred to above (in step 3 of the
documentation)?
The guide also talks about concatenating the certificate file. Do I need to
concatenate the “cert" and "ca-bandle" files? If so do I need to specify the
‘cafile' in the inventory?
As a short-cut could I just go to the /etc/origin/master/named_certificates
directory, replace the files and then bounce the API and CONTROLLERS processes?
It all gets a bit foggy.
Can someone explain the essential steps for me please?
Alan Christie
achris...@informaticsmatters.com
_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
