Define well-known certificate names as public constants to enable consistent referencing across operators and the installer.

Repository

openshift/api/config/v1alpha1/types_pki.go (or separate constants file)

Certificate Name Categories

Signer Certificates:

• kube-apiserver-to-kubelet-signer
• kube-control-plane-signer
• kube-apiserver-localhost-signer
• service-ca
• admin-kubeconfig-signer

Serving Certificates:

• kube-apiserver (various SANs)
• etcd-server
• oauth-server

Client Certificates:

• kube-apiserver-to-kubelet-client
• admin-kubeconfig-client
• etcd-client

Constant Naming Convention

const CertificateName<Purpose><Type> = "certificate-name"

Example: const CertificateNameKubeAPIServerToKubeletSigner = "kube-apiserver-to-kubelet-signer"

Documentation Requirements

• Each constant documented with purpose and usage
• Categorized by certificate type (signer, serving, client)
• Cross-referenced in PKI API godoc
• Listed in enhancement document

Acceptance Criteria

• All well-known certificates defined as public constants
• Constants follow OpenShift API naming conventions
• Comprehensive godoc for each constant
• Constants referenced in PKISpec.Specific field documentation
• No hardcoded certificate name strings in operator code