Overview

Define the PKI API types in openshift/api repository at config.openshift.io/v1alpha1 to enable configuration of cryptographic parameters for OpenShift internal certificates.

The API allows administrators to configure key algorithms (RSA/ECDSA) and key sizes/curves for:

• All certificates (via defaults)
• Certificate categories: SignerCertificate, ServingCertificate, ClientCertificate
• Specific named certificates (via overrides)

The API supports three management modes:

• Unmanaged: Use component hardcoded defaults (for upgrade compatibility)
• Default: Use OpenShift best practices (may evolve across releases)
• Custom: Use administrator-specified configuration

Feature Gate

• Feature Gate: ConfigurablePKI
• Development: TechPreviewNoUpgrade enablement
• GA target: Default enabled
• Compatibility Level: 4 (v1alpha1) → 1 (v1 at GA)

Acceptance Criteria

• All types compile without errors
• CEL validation rules generate correctly in CRD
• make verify passes without linter warnings
• Godoc comments follow Kubernetes conventions
• API approved via openshift/api review process

Related Links

• Enhancement: /enhancements/security/internal-pki-config.md
• API PR: https://github.com/openshift/api/pull/2645
• Parent Epic: CNTRLPLANE-1743
• Implementation: /config/v1alpha1/types_pki.go