For those with OpenShift Container Platform nodes that must support FIPS, and you’ve previously generated the certificates on a non-FIPS node. You must execute these steps from a FIPS-compliant environment, such as a RHEL server booted in FIPS mode.
Then you can follow the Red Hat Customer Portal document Regenerating Openshift Cluster Certificates, which shows you:
- Regenerate the Leaf Certificates using
oc adm ocp-certificates regenerate-leaf - Regenerate the Top-Level Certificates using
oc adm ocp-certificates regenerate-top-level
There is also a really cool command to restart the Kubelet oc adm restart-kubelet nodes --all --directive=RemoveKubeletKubeconfig
This document is tried and true, and the best one to regenerate your certificates for your cluster.
I’m blogging about this so I can find these key commands and the link when I need it again.