Uploaded image for project: 'Red Hat OpenShift Control Planes'
  1. Red Hat OpenShift Control Planes
  2. CNTRLPLANE-1743

Design and implement PKI CRD and API

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • None
    • None

      This story covers the design and implementation of the core PKI API that enables administrators to configure cryptographic parameters for OpenShift internal certificates.

      Background

      Enterprise customers require the ability to configure cryptographic parameters (key algorithm, key size, elliptic curves) for certificates generated internally by OpenShift. Currently, OpenShift uses hardcoded defaults (RSA 2048-bit) with no configuration mechanism.

      Scope

      • New PKI custom resource in config.openshift.io/v1alpha1 API group
      • Cluster-scoped singleton resource named "cluster"
      • Support for RSA (2048, 3072, 4096) and ECDSA (P-256, P-384, P-521)
      • Configuration hierarchy: specific overrides → category config → default config → platform defaults
      • ConfigurablePKI feature gate for controlled rollout
      • Uses discriminated union pattern for KeyConfig type
      • Certificate wrapper type (CertificateConfig) for future extensibility

      API Must Support

      1. Global defaults for all certificates
      2. Category-level configuration (SignerCertificate, ServingCertificate, ClientCertificate)
      3. Specific certificate overrides by well-known name

      API Structure

      Discriminated union pattern:

      • algorithm field is union discriminator
      • rsa and ecdsa fields are union members
      • CEL validation enforces union constraints

      Certificate config wrapper:

      • CertificateConfig type wraps KeyConfig
      • Allows future additions: lifetime, rotation policy, extensions
      • Maintains extensibility without restructuring

      Example Configuration

      {{
      spec:
      defaults:
      key:
      algorithm: RSA
      rsa:
      keySize: 2048
      categories:

      • category: ServingCertificate
        certificate:
        key:
        algorithm: ECDSA
        ecdsa:
        curve: P384
        }}

      API Consumers

      • openshift-installer (Day-1 signer certificate generation)
      • Multiple operators (Day-2 certificate rotation)

      Success Criteria

      • ConfigurablePKI feature gate created
      • API types defined in openshift/api repository
      • CEL validation rules enforce union constraints
      • Well-known certificate names documented as constants
      • Generated clients, listers, informers available
      • API review approved
      • Unit tests achieve >80% coverage

      References

          1.
          		 Create ConfigurablePKI feature gate Sub-task In Progress Undefined Luis Sanchez
          2.
          		 API review and approval process Sub-task In Progress Undefined Luis Sanchez
          3.
          		 Define PKI API types with OpenAPI validation Sub-task To Do Undefined Unassigned
          4.
          		 Define well-known certificate names as constants Sub-task To Do Undefined Unassigned
          5.
          		 Generate clients, listers, and informers for PKI API Sub-task To Do Undefined Unassigned
          6.
          		 Unit tests for PKI API types Sub-task To Do Undefined Unassigned

              lusanche@redhat.com Luis Sanchez
              lusanche@redhat.com Luis Sanchez
              None
              None
              None
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: