Epic Goal

When importing a managed cluster, ACM usually auto-detects the CA certificate of the hub Kube API server and creates a CA bundle for the klusterlet/add-on agents to communicate with the hub Kube API server. However, the auto-detection may not always obtain the correct CA certificates (bug: ACM-12962, customer support case: 03888069). It's necessary to allow user to specify the CA bundle.

Since ACM 2.10, it is supported to specify the klusterlet CA bundle in the KlusterletConfig API, but it's not possible to use the system trust store to verify the server certificate. This is useful for server certificate signed with known certificate authority (CA), like Let's Encrypt.

Why is this important?

...

Scenarios

...

Acceptance Criteria

...

Dependencies (internal and external)

1. ...

Previous Work (Optional):

1. ...

Open questions:

1. …

Done Checklist

• CI - CI is running, tests are automated and merged.
• Release Enablement <link to Feature Enablement Presentation>
• DEV - Upstream code and tests merged: <link to meaningful PR or GitHub
  Issue>
• DEV - Upstream documentation merged: <link to meaningful PR or GitHub
  Issue>
• DEV - Downstream build attached to advisory: <link to errata>
• QE - Test plans in Polarion: <link or reference to Polarion>
• QE - Automated tests merged: <link or reference to automated tests>
• DOC - Doc issue opened with a completed template. Separate doc issue
  opened for any deprecation, removal, or any current known
  issue/troubleshooting removal from the doc, if applicable.