From 6a195f85edff5abcfbc240ed8553ee128fa322aa Mon Sep 17 00:00:00 2001 From: David Kirwan Date: Wed, 15 Sep 2021 13:02:05 +0900 Subject: [PATCH] SOP Retrieve ocp4 cacert Signed-off-by: David Kirwan --- ...sop_configure_baremetal_pxe_uefi_boot.adoc | 11 ---------- .../ocp4/pages/sop_retrieve_ocp4_cacert.adoc | 22 +++++++++++++++++++ modules/ocp4/pages/sops.adoc | 1 + 3 files changed, 23 insertions(+), 11 deletions(-) create mode 100644 modules/ocp4/pages/sop_retrieve_ocp4_cacert.adoc diff --git a/modules/ocp4/pages/sop_configure_baremetal_pxe_uefi_boot.adoc b/modules/ocp4/pages/sop_configure_baremetal_pxe_uefi_boot.adoc index 0356f9f..17b584b 100644 --- a/modules/ocp4/pages/sop_configure_baremetal_pxe_uefi_boot.adoc +++ b/modules/ocp4/pages/sop_configure_baremetal_pxe_uefi_boot.adoc @@ -38,14 +38,3 @@ sudo rbac-playbook groups/noc.yml -t 'tftp_server,dhcp_server' On the `noc01` instance the `grub.cfg` file is located at `/var/lib/tftpboot/uefi/grub.cfg` If particular changes to OS images for example, are required, they should be made on the `noc01` instance directly at `/var/lib/tftpboot/images/`. This will require users to be in the `sysadmin-noc` group. - - - - - - - - - - - diff --git a/modules/ocp4/pages/sop_retrieve_ocp4_cacert.adoc b/modules/ocp4/pages/sop_retrieve_ocp4_cacert.adoc new file mode 100644 index 0000000..01b9136 --- /dev/null +++ b/modules/ocp4/pages/sop_retrieve_ocp4_cacert.adoc @@ -0,0 +1,22 @@ +== SOP Retrieve OCP4 Cluster CACERT + +=== Resources + +- [1] https://pagure.io/fedora-infra/ansible/blob/main/f/roles/dhcp_server[Ansible Role DHCP Server] + +=== Retrieve CACERT +In Fedora Infra, we have Apache terminating TLS for the cluster. Connections to the api and the machineconfig server are handled by haproxy. To prevent TLS errors we must configure haproxy with the OCP4 Cluster CA Cert. + +This can be retrieved once the cluster control plane has been installed, from the `os-control01` node like so: + +---- +oc get configmap kube-root-ca.crt -o yaml -n openshift-ingress +---- + +Extract this CACERT in full, and commit it to ansible at: `https://pagure.io/fedora-infra/ansible/blob/main/f/roles/haproxy/files/ocp.-iad2.pem` + +To deploy this cert, one must be apart of the `sysadmin-noc` group. Run the following playbook: + +---- +sudo rbac-playbook groups/proxies.yml -t 'haproxy' +---- diff --git a/modules/ocp4/pages/sops.adoc b/modules/ocp4/pages/sops.adoc index cd64e68..c496ba4 100644 --- a/modules/ocp4/pages/sops.adoc +++ b/modules/ocp4/pages/sops.adoc @@ -3,3 +3,4 @@ - xref:sop_installation.adoc[SOP Openshift 4 Installation on Fedora Infra] - xref:sop_configure_baremetal_pxe_uefi_boot.adoc[SOP Configure Baremetal PXE-UEFI Boot] - xref:sop_create_machineconfigs.adoc[SOP Create MachineConfigs to Configure RHCOS] +- xref:sop_retrieve_ocp4_cacert.adoc[SOP Retrieve OCP4 CACERT]