Loading...

XML

Word

Printable

Type: Epic
Resolution: Done
Priority: Critical
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:
- feature-team-cert

Epic Name:
Create TLS artifacts registry
Work Type:
Product / Portfolio Work
Hierarchy Progress Bar:

0% To Do, 0% In Progress, 100% Done
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Size:
XL

Target Version:

openshift-4.18.z
Release Blocker:
None

Story Points:
13

In order to keep track of existing certs/CA bundles and ensure that they adhere to requirements we need to have a TLS artifact registry setup.

The registry would:

have a test which automatically collects existing certs/CA bundles from secrets/configmaps/files on disk
have a test which collects necessary metedata from them (from cert contents or annotations)
ensure that new certs match expected metadata and have necessary annotations on when a new cert is added

Ref: API-1622

incorporates

OCPSTRAT-1395 Automated control-plane recovery from expired certificates (hibernation)

Closed

is related to

OCPSTRAT-537 Improve API server certificate rotation [API-1579]

Closed

links to

openshift/api#1977: API-1689: features: add ShortCertRotation

openshift/cluster-kube-apiserver-operator#1763: API-1689: TLS registry: add description

openshift/origin#29074: API-1853: make TLS registry tests required

openshift/origin#29172: API-1689: tls registry: extend time for cert collection pod to start

openshift/origin#29215: API-1689: TLS registry: add refresh period requirement

openshift/origin#29327: API-1853: TLS registry: refactor testcase annotations

(3 links to)

Assignee:: Vadim Rutkovsky

Reporter:: Vadim Rutkovsky

Need Info From:: None

Contributors:: None

QA Contact:: Ke Wang

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2024/01/16 12:37 PM

Updated:: 2025/06/27 10:07 AM

Resolved:: 2025/05/15 12:01 PM