Add note about an potential issue with node certificates when updating from pre 1.0.8 releases.

mwringe · mwringe · commit b71e5dd88c8c · 2015-12-11T15:17:25.000-05:00
diff --git a/install_config/cluster_metrics.adoc b/install_config/cluster_metrics.adoc
@@ -52,6 +52,18 @@ endif::[]
 
 == Before You Begin
 
+ifdef::openshift-origin[]
+[WARNING]
+====
+If your OpenShift installation was originally performed on a version previous to
+v1.0.8, even if it has since been updated to a newer version, you will need to 
+follow these steps outlined in the
+link:upgrades.html#openshift-origin-pre-1-0-8-certificate-update[update]
+document. If the node certificate does not contain the IP address of the node, then Heapster
+will fail to retrieve any metrics.
+====
+endif::[]
+
 The components for cluster metrics must be deployed to the `openshift-infra`
 project. This allows link:../dev_guide/pod_autoscaling.html[horizontal pod autoscalers]
 to discover the heapster service and use it to retrieve metrics that can be used
diff --git a/install_config/upgrades.adoc b/install_config/upgrades.adoc
@@ -1091,4 +1091,116 @@ Modify the *_/etc/origin/master/scheduler.json_* file to add the `*kind*` and
 ====
 <1> Add `*"kind": "Policy",*`
 <2> Add `*"apiVersion": "v1",*`
+
+[[openshift-origin-pre-1-0-8-certificate-update]]
+==== OpenShift Origin Pre 1.0.8 Installation and Kubelet Certificates
+
+The following steps may be required for any OpenShift instance which was originally installed 
+previous to the https://github.com/openshift/origin/releases[OpenShift Origin 1.0.8 release].
+This may include any and all updates from that version.
+
+With the 1.0.8 release, the certificates for each of the kubelet nodes were updated to include
+the IP address of the node. Any node certificates generated before the 1.0.8 release may not 
+contain the IP address of the node.
+
+If a node is missing the IP address as part of its certificate, clients may refuse to connect
+to the kubelet endpoint. Usually this will result in errors about the certificate not containing
+an `IP SAN`
+
+In order to remedy this situation, you may need to manually update the certificates for your node.
+
+*Checking the Node's Certificate*
+
+The follow command can be used to determine what subject alt names are already in place for the 
+node's serving certificate:
+
+====
+----
+# openssl x509 -in /etc/origin/node/server.crt -text -noout | grep -A 1 "Subject Alternative Name"
+----
+====
+ 
+If the output shows:
+====
+----
+X509v3 Subject Alternative Name:
+DNS:mynode, DNS:mynode.mydomain.com, IP: 1.2.3.4
+----
+====
+
+then your subject alt names are:
+====
+----
+mynode
+mynode.mydomain.com
+1.2.3.4
+----
+====
+
+You will now need to check that the `nodeIP` value in the  *_/etc/origin/node/node-config.yaml_* configuration file. If this value
+does not match one of the IP values from the subject alternative names determined in the previous step then it will need to be added to the node's certificate.
+
+If the `nodeIP` value is already contained within the subject alternative names, then no further steps are required.
+
+You will need to know the `Subject Alternative Names` and `nodeIP` value for the following steps.
+ 
+
+*Generating a New Node Certificate*
+
+If your current node certificate do not contain the proper IP address, then you will need to regenerate a new certificate for your node.
+
+We will perform the following commands from a temporary directory:
+
+====
+----
+# mkdir /tmp/node_certificate_update
+# cd /tmp/node_certificate_update
+----
+====
+
+First we will export a variable to contain all our signing options:
+====
+----
+# export signing_opts="--signer-cert=/etc/origin/master/ca.crt --signer-key=/etc/origin/master/ca.key --signer-serial=/etc/origin/master/ca.serial.txt"
+----
+====
+
+Then we need to generate the new certificate
+
+====
+----
+# oadm ca create-server-cert --cert=server.crt --key=server.key $signing_opts --hostnames=<existing subject alt names>,<nodeIP>
+----
+==== 
+
+For example, if the `Subject Alternative Name` from before was _mynode,mynode.mydomain.com,1.2.3.4_ and the `nodeIP` was 10.10.10.1, then 
+you will need to run the following command:
+====
+----
+# oadm ca create-server-cert --cert=server.crt --key=server.key $signing_opts --hostnames=mynode,mynode.mydomain.com,1.2.3.4,10.10.10.1
+----
+====
+
+*Replace Node Serving Certificates*
+
+Back up the existing *_/etc/origin/node/server.crt_* and *_/etc/origin/node/server.key_* file for your node:
+
+====
+----
+# mv /etc/origin/node/server.crt /etc/origin/node/server.crt.bak
+# mv /etc/origin/node/server.key /etc/origin/node/server.key.bak
+----
+====
+
+You will now need to copy the new *_server.crt_* and *_server.key_* created in the temporary directory during the previous step 
+
+====
+----
+# mv /tmp/node_certificate_update/server.crt /etc/origin/node/server.crt
+# mv /tmp/node_certificate_update/server.key /etc/origin/node/server.key
+----
+====
+
+After you have replaced the node's certificate, you will now need to restart the node service.
 endif::[]
+
