SOP Retrieve OCP4 Cluster CACERT
Retrieve CACERT
In Fedora Infra, we have Apache terminating TLS for the cluster. Connections to the api and the machineconfig server are handled by haproxy. To prevent TLS errors we must configure haproxy with the OCP4 Cluster CA Cert.
This can be retrieved once the cluster control plane has been installed, from the os-control01
node like so:
oc get configmap kube-root-ca.crt -o yaml -n openshift-ingress
Extract this CACERT in full, and commit it to ansible at: https://pagure.io/fedora-infra/ansible/blob/main/f/roles/haproxy/files/ocp.<ENV>-iad2.pem
To deploy this cert, one must be apart of the sysadmin-noc
group. Run the following playbook:
sudo rbac-playbook groups/proxies.yml -t 'haproxy'
Want to help? Learn how to contribute to Fedora Docs ›