Update upgrade instructions for Yoga release

The manual instructions are missing the step to update the SSH CA and Octavia certificate variables.t The step to update the PKI CA is left over from the W to X upgrade and should not be required for X to Y. Update the instructions and script for this. Change-Id: I142cad013775c457f841994bb3ba10be78c9bc54
2022-08-03 11:04:12 +01:00 · 2022-08-03 11:04:12 +01:00 · cf0d8a8b44
commit cf0d8a8b44
parent c52441f157
2 changed files with 12 additions and 6 deletions
--- a/doc/source/admin/upgrades/major-upgrades.rst
+++ b/doc/source/admin/upgrades/major-upgrades.rst
@ -151,6 +151,13 @@ Please review the contents of the playbook for more information.

    # openstack-ansible "${SCRIPTS_PATH}/upgrade-utilities/deploy-config-changes.yml"

+Update user_variables to set overrides for the location of any existing
+Ocatavia certificates.
+
+.. code-block:: console
+
+    # openstack-ansible "${SCRIPTS_PATH}/upgrade-utilities/define-octavia-certificate-vars.yml"
+
 Upgrade hosts
 ~~~~~~~~~~~~~

@ -161,14 +168,14 @@ Before installing the infrastructure and OpenStack, update the host machines.
    Usage of non-trusted certificates for RabbitMQ is not possible
    due to requirements of newer ``amqp`` versions.

-The internal certificate authority must be updated for the upgraded
-release version. This does not regenerate or alter any existing CA certificates.
-New certificate chains may be generated at this stage to cover
-additional parts of the deployment secured using TLS in upgraded release.
+The SSH certificate authority must be updated for the upgraded release
+version. SSH certificates are used for nova live migration and keystone
+credential synchonrisation in the new release. This step ensures that
+the required CA is generated and available for other playbooks.

 .. code-block:: console

-    # openstack-ansible certificate-authority.yml
+    # openstack-ansible certificate-ssh-authority.yml

 Once CA is generated, we can proceed with standard OpenStack upgrade steps:

--- a/scripts/run-upgrade.sh
+++ b/scripts/run-upgrade.sh
@ -176,7 +176,6 @@ function main {
    pushd ${MAIN_PATH}/playbooks
        RUN_TASKS+=("${SCRIPTS_PATH}/upgrade-utilities/deploy-config-changes.yml")
        RUN_TASKS+=("${SCRIPTS_PATH}/upgrade-utilities/define-octavia-certificate-vars.yml")
-        RUN_TASKS+=("certificate-authority.yml")
        RUN_TASKS+=("certificate-ssh-authority.yml")
        # we don't want to trigger container restarts for galera and rabbit
        # but as there will be no hosts available for metal deployments,