Running sc install will always generate new certs, but pods don't automatically pick up changes to secrets, so the running pods' certs may be out-of-date compared to what's in the secret. If the apiserver and controller-manager pods' views of the certs get out of sync, communication between them will fail.
We should probably keep generating new certs for security's sake (since someone could have created their own service-catalog namespace and put their own certs in there, so we don't want to just use those). The best solution is to manually kill the API server and controller manager pods (but not the etcd) after applying the new templates, to ensure that the pods pick up the new certs.
Running
sc installwill always generate new certs, but pods don't automatically pick up changes to secrets, so the running pods' certs may be out-of-date compared to what's in the secret. If the apiserver and controller-manager pods' views of the certs get out of sync, communication between them will fail.We should probably keep generating new certs for security's sake (since someone could have created their own
service-catalognamespace and put their own certs in there, so we don't want to just use those). The best solution is to manually kill the API server and controller manager pods (but not the etcd) after applying the new templates, to ensure that the pods pick up the new certs.