openstack/openstack-ansible
Code Issues Proposed changes

Merge "[doc] Document CA generation upgrade step"

Browse Source
This commit is contained in:
Zuul 2021-06-15 03:13:39 +00:00 committed by Gerrit Code Review
commit 59828ce547
1 changed files with 21 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
doc/source/admin/upgrades/major-upgrades.rst
View File

@ -156,6 +156,27 @@ Upgrade hosts
Before installing the infrastructure and OpenStack, update the host machines.
With the introduction of the PKI ansible role, OSA now manages its own Certificate
Authority (CA) when self-signed certificates are used. Before proceeding
with the upgrade, you will need to override ``openstack_pki_authorities``
and ``openstack_pki_service_intermediate_cert_name`` in your user_variables.
Otherwise, sample authorities will be generated for root and intermediate
certificates and all self-signed certificates generated later will be
signed with them.
.. warning::
Usage of non-trusted certificates for RabbitMQ is not possible
due to requirements of newer ``amqp`` versions.
To generate new CA, you will need to run the following command:
.. code-block:: console
# openstack-ansible certificate-authority.yml
Once CA is generated, we can proceed with standard OpenStack upgrade steps:
.. code-block:: console
# openstack-ansible setup-hosts.yml --limit '!galera_all:!rabbitmq_all'