OSDOCS-6677: add new mco/mcc cert procedure

jldohmann · jldohmann · commit 154a868fb6ce · 2023-10-13T13:04:16.000-05:00
diff --git a/modules/checking-mco-status-certs.adoc b/modules/checking-mco-status-certs.adoc
@@ -0,0 +1,84 @@
+// Module included in the following assemblies:
+//
+// * post_installation_configuration/machine-configuration-tasks.adoc
+
+:_content-type: PROCEDURE
+[id="checking-mco-status-certs_{context}"]
+= Viewing and interacting with certificates
+
+The following certificates are handled in the cluster by the Machine Config Controller (MCC) and can be found in the `ControllerConfig` resource:
+
+* `/etc/kubernetes/kubelet-ca.crt`
+* `/etc/kubernetes/static-pod-resources/configmaps/cloud-config/ca-bundle.pem`
+* `/etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt`
+
+The MCC also handles the image registry certificates and its associated user bundle certificate.
+
+You can get information about the listed certificates, including the underyling bundle the certificate comes from, and the signing and subject data.
+
+.Procedure
+
+* Get detailed certificate information by running the following command:
++
+[source,terminal]
+----
+$ oc get controllerconfig/machine-config-controller -o yaml | yq -y '.status.controllerCertificates'
+----
++
+.Example output
++
+[source,text]
+----
+"controllerCertificates": [
+                   {
+                       "bundleFile": "KubeAPIServerServingCAData",
+                       "signer": "<signer_data1>",
+                       "subject": "CN=openshift-kube-apiserver-operator_node-system-admin-signer@168909215"
+                   },
+                   {
+                       "bundleFile": "RootCAData",
+                       "signer": "<signer_data2>",
+                       "subject": "CN=root-ca,OU=openshift"
+                   }
+                ]
+----
+
+* Get a simpler version of the information found in the ControllerConfig by checking the machine config pool status using the following command:
++
+[source,terminal]
+----
+$ oc get mcp master -o yaml | yq -y '.status.certExpirys'
+----
++
+.Example output
++
+[source,text]
+----
+status:
+  certExpirys:
+  - bundle: KubeAPIServerServingCAData
+    subject: CN=admin-kubeconfig-signer,OU=openshift
+  - bundle: KubeAPIServerServingCAData
+    subject: CN=kube-csr-signer_@1689585558
+  - bundle: KubeAPIServerServingCAData
+    subject: CN=kubelet-signer,OU=openshift
+  - bundle: KubeAPIServerServingCAData
+    subject: CN=kube-apiserver-to-kubelet-signer,OU=openshift
+  - bundle: KubeAPIServerServingCAData
+    subject: CN=kube-control-plane-signer,OU=openshift
+----
++
+This method is meant for {product-title} applications that already consume machine config pool information.
+
+* Check which image registry certificates are on the nodes by looking at the contents of the `/etc/docker/cert.d` directory:
++
+[source,terminal]
+----
+# ls /etc/docker/certs.d
+----
++
+.Example output
+[source,text]
+----
+image-registry.openshift-image-registry.svc.cluster.local:5000 image-registry.openshift-image-registry.svc:5000
+----
diff --git a/modules/troubleshooting-disabling-autoreboot-mco.adoc b/modules/troubleshooting-disabling-autoreboot-mco.adoc
@@ -13,14 +13,3 @@ include::snippets/node-icsp-no-drain.adoc[]
 ====
 
 To avoid unwanted disruptions, you can modify the machine config pool (MCP) to prevent automatic rebooting after the Operator makes changes to the machine config.
-
-[NOTE]
-====
-Pausing an MCP prevents the MCO from applying any configuration changes on the associated nodes. Pausing an MCP also prevents any automatically rotated certificates from being pushed to the associated nodes, including the automatic rotation of the `kube-apiserver-to-kubelet-signer` CA certificate.
-
-If the MCP is paused when the `kube-apiserver-to-kubelet-signer` CA certificate expires, and the MCO attempts to renew the certificate automatically, the MCO cannot push the newly rotated certificates to those nodes. This causes the cluster to become degraded and causes failure in multiple `oc` commands, including `oc debug`, `oc logs`, `oc exec`, and `oc attach`. You receive alerts in the Alerting UI of the {product-title} web console if an MCP is paused when the certificates are rotated.
-
-Pausing an MCP should be done with careful consideration about the `kube-apiserver-to-kubelet-signer` CA certificate expiration and for short periods of time only.
-
-New CA certificates are generated at 292 days from the installation date and removed at 365 days from that date. To determine the next automatic CA certificate rotation, see the link:https://access.redhat.com/articles/5651701[Understand CA cert auto renewal in Red Hat OpenShift 4].
-====
diff --git a/post_installation_configuration/machine-configuration-tasks.adoc b/post_installation_configuration/machine-configuration-tasks.adoc
@@ -19,6 +19,7 @@ include::modules/machine-config-operator.adoc[leveloffset=+2]
 include::modules/machine-config-overview.adoc[leveloffset=+2]
 include::modules/machine-config-drift-detection.adoc[leveloffset=+2]
 include::modules/checking-mco-status.adoc[leveloffset=+2]
+include::modules/checking-mco-status-certs.adoc[leveloffset=+2]
 
 [id="using-machineconfigs-to-change-machines"]
 == Using MachineConfig objects to configure nodes
