From cf0d8a8b4444279f1e3a15c96f3776f90be230f1 Mon Sep 17 00:00:00 2001
From: Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk>
Date: Wed, 3 Aug 2022 11:04:12 +0100
Subject: [PATCH] Update upgrade instructions for Yoga release

The manual instructions are missing the step to update the SSH CA
and Octavia certificate variables.t

The step to update the PKI CA is left over from the W to X upgrade
and should not be required for X to Y. Update the instructions and
script for this.

Change-Id: I142cad013775c457f841994bb3ba10be78c9bc54
---
 doc/source/admin/upgrades/major-upgrades.rst | 17 ++++++++++++-----
 scripts/run-upgrade.sh                       |  1 -
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/doc/source/admin/upgrades/major-upgrades.rst b/doc/source/admin/upgrades/major-upgrades.rst
index f250d7651d..a3c62ed7a6 100644
--- a/doc/source/admin/upgrades/major-upgrades.rst
+++ b/doc/source/admin/upgrades/major-upgrades.rst
@@ -151,6 +151,13 @@ Please review the contents of the playbook for more information.
 
     # openstack-ansible "${SCRIPTS_PATH}/upgrade-utilities/deploy-config-changes.yml"
 
+Update user_variables to set overrides for the location of any existing
+Ocatavia certificates.
+
+.. code-block:: console
+
+    # openstack-ansible "${SCRIPTS_PATH}/upgrade-utilities/define-octavia-certificate-vars.yml"
+
 Upgrade hosts
 ~~~~~~~~~~~~~
 
@@ -161,14 +168,14 @@ Before installing the infrastructure and OpenStack, update the host machines.
     Usage of non-trusted certificates for RabbitMQ is not possible
     due to requirements of newer ``amqp`` versions.
 
-The internal certificate authority must be updated for the upgraded
-release version. This does not regenerate or alter any existing CA certificates.
-New certificate chains may be generated at this stage to cover
-additional parts of the deployment secured using TLS in upgraded release.
+The SSH certificate authority must be updated for the upgraded release
+version. SSH certificates are used for nova live migration and keystone
+credential synchonrisation in the new release. This step ensures that
+the required CA is generated and available for other playbooks.
 
 .. code-block:: console
 
-    # openstack-ansible certificate-authority.yml
+    # openstack-ansible certificate-ssh-authority.yml
 
 Once CA is generated, we can proceed with standard OpenStack upgrade steps:
 
diff --git a/scripts/run-upgrade.sh b/scripts/run-upgrade.sh
index 8270d8c0a5..9a03505c8d 100755
--- a/scripts/run-upgrade.sh
+++ b/scripts/run-upgrade.sh
@@ -176,7 +176,6 @@ function main {
     pushd ${MAIN_PATH}/playbooks
         RUN_TASKS+=("${SCRIPTS_PATH}/upgrade-utilities/deploy-config-changes.yml")
         RUN_TASKS+=("${SCRIPTS_PATH}/upgrade-utilities/define-octavia-certificate-vars.yml")
-        RUN_TASKS+=("certificate-authority.yml")
         RUN_TASKS+=("certificate-ssh-authority.yml")
         # we don't want to trigger container restarts for galera and rabbit
         # but as there will be no hosts available for metal deployments,