ocp4 sops moved into sysadmin_guide
Signed-off-by: David Kirwan <davidkirwanirl@gmail.com>
This commit is contained in:
parent
1d17fd8610
commit
c0d6947dba
35 changed files with 1 additions and 1 deletions
22
modules/sysadmin_guide/pages/sop_retrieve_ocp4_cacert.adoc
Normal file
22
modules/sysadmin_guide/pages/sop_retrieve_ocp4_cacert.adoc
Normal file
|
|
@ -0,0 +1,22 @@
|
|||
= SOP Retrieve OCP4 Cluster CACERT
|
||||
|
||||
== Resources
|
||||
|
||||
- [1] https://pagure.io/fedora-infra/ansible/blob/main/f/roles/dhcp_server[Ansible Role DHCP Server]
|
||||
|
||||
== Retrieve CACERT
|
||||
In Fedora Infra, we have Apache terminating TLS for the cluster. Connections to the api and the machineconfig server are handled by haproxy. To prevent TLS errors we must configure haproxy with the OCP4 Cluster CA Cert.
|
||||
|
||||
This can be retrieved once the cluster control plane has been installed, from the `os-control01` node like so:
|
||||
|
||||
----
|
||||
oc get configmap kube-root-ca.crt -o yaml -n openshift-ingress
|
||||
----
|
||||
|
||||
Extract this CACERT in full, and commit it to ansible at: `https://pagure.io/fedora-infra/ansible/blob/main/f/roles/haproxy/files/ocp.<ENV>-iad2.pem`
|
||||
|
||||
To deploy this cert, one must be apart of the `sysadmin-noc` group. Run the following playbook:
|
||||
|
||||
----
|
||||
sudo rbac-playbook groups/proxies.yml -t 'haproxy'
|
||||
----
|
||||
Loading…
Add table
Add a link
Reference in a new issue