openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity

Merge pull request #95231 from openshift-cherrypick-robot/cherry-pick-95125-to-enterprise-4.20

Browse Source 
[enterprise-4.20] OCPBUGS55748 Nodes become  temporarily after updating only the trusted CA bundle
This commit is contained in:
Michael Burke
2025-06-25 14:19:10 -04:00
committed by GitHub
parent 96bb801862 23e58c0763
commit 2a2151eb5b
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
modules/customize-certificates-replace-default-router.adoc
View File

@@ -40,7 +40,9 @@ $ oc patch proxy/cluster \
+
[NOTE]
====
If you update only the trusted CA for your cluster, the MCO updates the `/etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt` file and the Machine Config Controller (MCC) applies the trusted CA update to each node so that a node reboot is not required. Changing any other parameter in the `openshift-config-user-ca-bundle.crt` file, such as `noproxy`, results in the MCO rebooting each node in your cluster.
If you update only the trusted CA for your cluster, the MCO updates the `/etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt` file and the Machine Config Controller (MCC) applies the trusted CA update to each node so that a node reboot is not required. However, with these changes, the Machine Config Daemon (MCD) restarts critical services on each node, such as kubelet and CRI-O. These service restarts cause each node to briefly enter the `NotReady` state until the service is fully restarted.
If you change any other parameter in the `openshift-config-user-ca-bundle.crt` file, such as `noproxy`, the MCO reboots each node in your cluster.
====
. Create a secret that contains the wildcard certificate chain and key: