SOP Retrieve OCP4 Cluster CACERT

Resources

[1] Ansible Role DHCP Server

Retrieve CACERT

In Fedora Infra, we have Apache terminating TLS for the cluster. Connections to the api and the machineconfig server are handled by haproxy. To prevent TLS errors we must configure haproxy with the OCP4 Cluster CA Cert.

This can be retrieved once the cluster control plane has been installed, from the os-control01 node like so:

oc get configmap kube-root-ca.crt -o yaml -n openshift-ingress

Extract this CACERT in full, and commit it to ansible at: https://pagure.io/fedora-infra/ansible/blob/main/f/roles/haproxy/files/ocp.<ENV>-iad2.pem

To deploy this cert, one must be apart of the sysadmin-noc group. Run the following playbook:

sudo rbac-playbook groups/proxies.yml -t 'haproxy'

Want to help? Learn how to contribute to Fedora Docs ›