-
Story
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
None
-
None
-
False
-
-
False
-
None
-
None
-
None
This story covers the design and implementation of the core PKI API that enables administrators to configure cryptographic parameters for OpenShift internal certificates.
Background
Enterprise customers require the ability to configure cryptographic parameters (key algorithm, key size, elliptic curves) for certificates generated internally by OpenShift. Currently, OpenShift uses hardcoded defaults (RSA 2048-bit) with no configuration mechanism.
Scope
- New PKI custom resource in config.openshift.io/v1alpha1 API group
- Cluster-scoped singleton resource named "cluster"
- Support for RSA (2048, 3072, 4096) and ECDSA (P-256, P-384, P-521)
- Configuration hierarchy: specific overrides → category config → default config → platform defaults
- ConfigurablePKI feature gate for controlled rollout
- Uses discriminated union pattern for KeyConfig type
- Certificate wrapper type (CertificateConfig) for future extensibility
API Must Support
- Global defaults for all certificates
- Category-level configuration (SignerCertificate, ServingCertificate, ClientCertificate)
- Specific certificate overrides by well-known name
API Structure
Discriminated union pattern:
- algorithm field is union discriminator
- rsa and ecdsa fields are union members
- CEL validation enforces union constraints
Certificate config wrapper:
- CertificateConfig type wraps KeyConfig
- Allows future additions: lifetime, rotation policy, extensions
- Maintains extensibility without restructuring
Example Configuration
{{
spec:
defaults:
key:
algorithm: RSA
rsa:
keySize: 2048
categories:
- category: ServingCertificate
certificate:
key:
algorithm: ECDSA
ecdsa:
curve: P384
}}
API Consumers
- openshift-installer (Day-1 signer certificate generation)
- Multiple operators (Day-2 certificate rotation)
Success Criteria
- ConfigurablePKI feature gate created
- API types defined in openshift/api repository
- CEL validation rules enforce union constraints
- Well-known certificate names documented as constants
- Generated clients, listers, informers available
- API review approved
- Unit tests achieve >80% coverage
References
- Enhancement PR: https://github.com/openshift/enhancements/pull/1882
- Parent Epic: CNTRLPLANE-1735
- Upstream Feature: OCPSTRAT-2271
- Enhancement file: enhancements/security/internal-pki-config.md
1.
|
duplicate: Create ConfigurablePKI feature gate |
|
Closed | 
|
Unassigned |
2.
|
duplicate: API review and approval process |
|
Closed |
|
Unassigned |
3.
|
duplicate: Define PKI API types with OpenAPI validation |
|
Closed |
|
Unassigned |
4.
|
duplicate: Define well-known certificate names as constants |
|
Closed |
|
Unassigned |
5.
|
duplicate: Generate clients, listers, and informers for PKI API |
|
Closed |
|
Unassigned |
6.
|
duplicate: Unit tests for PKI API types |
|
Closed |
|
Unassigned |
7.
|
Create ConfigurablePKI feature gate |
|
In Progress |
|
Luis Sanchez |
8.
|
API review and approval process |
|
In Progress |
|
Luis Sanchez |
9.
|
Define PKI API types with OpenAPI validation |
|
To Do |
|
Unassigned |
10.
|
Define well-known certificate names as constants |
|
To Do |
|
Unassigned |
11.
|
Generate clients, listers, and informers for PKI API |
|
To Do |
|
Unassigned |
12.
|
Unit tests for PKI API types |
|
To Do |
|
Unassigned |
