There is a Slight Change starting from OpenShift v3.10 Cluster. Nodes certificates are not Completely redeployed through playbook but through a different mechanism which is explained briefly below.
Basically, SSL Certificates will be valid for the period of 1 year and around 85% of the certificate lifetime, the node will trigger a CSR that would have to be approved for the certificate to be redeployed.
The Only certificates that are renewed/redeployed through CSR’s mechanism are the kubelet/nodes certificates. Any other certificates e.g, router, master, api certs, etcd, docker-registry, etc are still redeployed through the usual playbooks.
For more details, please see the official redhat documentation here.
Check here for renewal of SSL Certificate
Note:
If triggered CSR is not approved either manually or in automated way then after one year certificate will fail and treated as expired with Pending CSR validation Issue and all nodes will go to NotReady State. This will bring down the entire cluster.
To Check if any of the CSR needs validation, use the below command
# oc get csr
Command to view the details of CSR
$ oc describe csr csr_name
Command to approve CSR manually.
$ oc adm certificate approve csr_name
To approve all the pending CSR’s at once, use the below command
$ oc get csr -o name | xargs oc adm certificate approve
(or)
$ oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs oc adm certificate approve
Once we approve these CSR’s all these certificates will be deployed on all nodes
Now as this is a manual step and can not be the recommended way of doing it for your production cluster, the best way is to Automate the process of CSR’s Validation and approval. This Can be achieved by,
At the time of Installing Cluster
You can configure automatic approval of nodes CSR’s by specifying the following parameter to your ansible Inventory files when deploying cluster.
openshift_master_bootstrap_auto_approve=true
Note: Adding this parameter allows all CSRs generated by using the bootstrap credential or from a previously authenticated node with the same hostname to be approved without any administrator intervention.
After the Cluster Setup
Run the below playbook to add this parameter “openshift_master_bootstrap_auto_approve=true”
$ ansible-playbook -vvv /usr/share/ansible/openshift-ansible/playbooks/openshift-master/enable_bootstrap.yml -e openshift_master_bootstrap_auto_approve=true
This creates statefulset.apps/bootstrap-autoapprover pod in the openshift-infra project and it will take care of the CSR’s approval automatically from the next time.
You may also need to look at,
How to Renew SSL Certificate of Your OpenShift Cluster – 3.x