From 0c0c81e11c0e41dbdce38b3aa4ca8bc46b2d8be5 Mon Sep 17 00:00:00 2001 From: Luis Sanchez Date: Fri, 28 Jun 2019 08:42:24 -0400 Subject: [PATCH] Update apiserver.doc Remove the instructions to replacing the default certificate. The instructions, as written, will also replace the internal serving certificates. Following the instructions for adding a named certificate will suffice. --- authentication/certificates/api-server.adoc | 2 -- modules/customize-certificates-api-add-named.adoc | 7 +++++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/authentication/certificates/api-server.adoc b/authentication/certificates/api-server.adoc index 1e77e3f9b1..5c66038149 100644 --- a/authentication/certificates/api-server.adoc +++ b/authentication/certificates/api-server.adoc @@ -10,6 +10,4 @@ cluster CA. Clients outside of the cluster will not be able to verify the API server's certificate by default. This certificate can be replaced by one that is issued by a CA that clients trust. -include::modules/customize-certificates-api-add-default.adoc[leveloffset=+1] - include::modules/customize-certificates-api-add-named.adoc[leveloffset=+1] diff --git a/modules/customize-certificates-api-add-named.adoc b/modules/customize-certificates-api-add-named.adoc index 3e8d908b71..a583359fba 100644 --- a/modules/customize-certificates-api-add-named.adoc +++ b/modules/customize-certificates-api-add-named.adoc @@ -18,6 +18,13 @@ client's URL. reach the API server. * The certificate must have the `subjectAltName` extension for the URL. +[WARNING] +==== +Do not provide a named certificate for the internal load balancer (host +name `api-int..`). Doing so will leave your +cluster in a degraded state. +==== + .Procedure . Create a secret that contains the certificate and key in the