Nodes certificates are not Completely redeployed through playbook but through a different mechanism.
Parst of the Openshift series
- Part1: Install Opeshift
- Part2: How to Enable Auto Approval of CSR in Openshift v3.11
- Part3: Add new workers to Openshift cluster
- Part4: Chane the certificates of the Openshift cluster
- Part5: LDAP authentication for Openshift
- Part6: Keycloak SSO authentication for Openshift
- Part7: Gitlab SSO authentication for Openshift
- Part8a: Ceph persistent storage for Openshift
- Part8b: vSphere persistent storage for Openshift
- Part9: Helm on Openshift
- Part10: Tillerless Helm on Openshift
- Part11: Use external docker registry on Openshift
- Part12: Secondary router on Openshift
- Part13a: Use Letsencrypt on Openshift
- Part13b: Install cert-managger on Openshift
- Part14: Create Openshift operators
- Part15: Convert docker-compose file to Opeshift
SSL Certificates will be valid for the period of 1 year and at 85% of the certificate the node will trigger a CSR that would have to be approved for the certificate to be redeployed.
The Only certificates that are renewed/redeployed through CSR’s mechanism are the kubelet/nodes certificates. Any other certificates e.g, router, master, api certs, etcd, docker-registry, etc are still redeployed through the usual playbooks.
If triggered CSR is not approved either manually or in automated way then after one year all nodes will go to NotReady State.
Check and approve csr’s manually
oc get csr oc describe csr <csr_name> oc adm certificate <approve csr_name> oc get csr -o name | xargs oc adm certificate approve
Approve csr’s automaticle
At install time you can add this option to your ansible hosts fiel:
If you installed the cluster and want to change this option run this playbook:
ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/openshift-master/enable_bootstrap.yml \ -e openshift_master_bootstrap_auto_approve=true