Regenerating certificates
Procedure
-
Regenerate service certificates.
- Check the number of service certificates.
oc get service --no-headers --all-namespaces -o custom-columns='NAMESPACE:{metadata.namespace},SERVING CERT:{metadata.annotations.service\.alpha\.openshift\.io/serving-cert-secret-name}' | grep -vw "<none>" | wc -l - Regenerate service certificates.
Command 1:
oc delete secret/signing-key -n openshift-service-caCommand 2:while read namespace service secret do if [ "$secret" != "<none>" ] then oc annotate service -n $namespace $service service.alpha.openshift.io/serving-cert-generation-error- oc delete secret -n $namespace $secret fi done < <(oc get service --no-headers --all-namespaces -o custom-columns='NAMESPACE:{metadata.namespace},NAME:{metadata.name},SERVING CERT:{metadata.annotations.service\.alpha\.openshift\.io/serving-cert-secret-name}') - Wait until all service certificates are regenerated.
oc get service --no-headers --all-namespaces -o custom-columns='NAMESPACE:{metadata.namespace},SERVING CERT:{metadata.annotations.service\.alpha\.openshift\.io/serving-cert-secret-name}' | grep -vw "<none>" | wc -l
- Check the number of service certificates.
-
Regenerate CSR signer secrets (in order to prevent expiration of ClusterOperator certificates).
Command 1:
oc delete secrets/csr-signer-signer secrets/csr-signer -n openshift-kube-controller-manager-operatorCommand 2:oc get configmap extension-apiserver-authentication -n kube-system -o yaml | sed "s/ client-ca-file: |$/ client-ca-file: |\n/" | oc apply -f -Command 3:oc get secrets/csr-signer-signer secrets/csr-signer -n openshift-kube-controller-manager-operatorNAME TYPE DATA AGE csr-signer-signer SecretTypeTLS 2 20d csr-signer kubernetes.io/tls 2 20d -
Wait until all ClusterOperators become "True False False". It takes a few minutes.
oc get clusteroperators --no-headers | grep -v "True *False *False *" kube-apiserver 4.3.3 True True False 245d kube-controller-manager 4.3.3 True True False 245d openshift-controller-manager 4.3.3 True True False 5d3h