-
Story
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
None
-
Product / Portfolio Work
-
False
-
-
False
-
None
-
None
-
None
Currently, the key size for OpenShift certificates that are generated by Installer is hard-coded.
In order to enable customizable key size, the key size in Installer also needs to be configurable.
See the configurable PKI enhancement for background
https://github.com/openshift/enhancements/pull/1882
More specifically the section on the installer integration.
TLDR: The proposal is to extend the install-config to accept PKI related config that is used to set the key parameters when generating the signers. Additionally the installer would also create the initial PKI resource as well.
The openshift-installer will support a limited subset of PKI configuration:
```yaml
# install-config.yaml
apiVersion: v1
metadata:
name: my-cluster
# ... other configuration ...
pki:
signerCertificates:
key:
algorithm: RSA
rsa:
keySize: 4096
```
Rationale for limiting Day-1 configuration:
- **10-year signer certificates**: The installer generates several long-lived (10-year) signer certificates specifically for **bootstrapping new nodes** (e.g., `kubelet-bootstrap-kubeconfig-signer`) and **disaster recovery** (e.g., `admin-kubeconfig-signer`). These certificates are never automatically rotated by cluster operators, making Day-1 configuration critical.
- **Shorter-lived certificates**: The installer also generates 1-year and 1-day signers, as well as serving and client certificates. These are rotated by cluster operators (most within 24 hours of installation), so they can be configured via the PKI resource post-installation.
- **Simplicity**: Keeping installer configuration simple reduces complexity and potential for misconfiguration during cluster bootstrap.
- **Source of truth**: The installer-generated PKI resource serves as the source of truth for ongoing operations.
The installer will:
1. Generate all signer certificates (10-year, 1-year, and 1-day) using the specified parameters (or defaults if not configured)
2. Generate serving and client certificates using platform defaults
3. Create the initial PKI resource with a `SignerCertificate` category configuration matching the install-config
4. Document that administrators should configure serving and client certificate categories post-installation, and can optionally configure individual signers via `overrides` if finer-grained control is needed
Additionally for the long lived signer certs that the installer does not generate, e.g etcd-signer, we would have to update the operator's render cmd to accept the PKI configuration and generate the signers accordingly.
https://github.com/openshift/installer/blob/12154a3f1fbf8ca06e3d0a5684503bb6d7a793db/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template#L225-L234
