From 23e58c0763aa6540c35ff1a16c3f4c2e6531ce67 Mon Sep 17 00:00:00 2001 From: Michael Burke Date: Mon, 23 Jun 2025 16:33:46 -0400 Subject: [PATCH] OCPBUGS55748 Nodes become temporarily after updating only the trusted CA bundle --- modules/customize-certificates-replace-default-router.adoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/customize-certificates-replace-default-router.adoc b/modules/customize-certificates-replace-default-router.adoc index 5a7255326f..5db5f2c7d5 100644 --- a/modules/customize-certificates-replace-default-router.adoc +++ b/modules/customize-certificates-replace-default-router.adoc @@ -40,7 +40,9 @@ $ oc patch proxy/cluster \ + [NOTE] ==== -If you update only the trusted CA for your cluster, the MCO updates the `/etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt` file and the Machine Config Controller (MCC) applies the trusted CA update to each node so that a node reboot is not required. Changing any other parameter in the `openshift-config-user-ca-bundle.crt` file, such as `noproxy`, results in the MCO rebooting each node in your cluster. +If you update only the trusted CA for your cluster, the MCO updates the `/etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt` file and the Machine Config Controller (MCC) applies the trusted CA update to each node so that a node reboot is not required. However, with these changes, the Machine Config Daemon (MCD) restarts critical services on each node, such as kubelet and CRI-O. These service restarts cause each node to briefly enter the `NotReady` state until the service is fully restarted. + +If you change any other parameter in the `openshift-config-user-ca-bundle.crt` file, such as `noproxy`, the MCO reboots each node in your cluster. ==== . Create a secret that contains the wildcard certificate chain and key: