Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-34875

Documentation to replace API / OAUTH / INGRESS certificates in hosted control plane platforms

XMLWordPrintable

    • Important
    • None
    • 5
    • OSDOCS Sprint 256, OSDOCS Sprint 257, OSDOCS Sprint 258
    • 3
    • False
    • Hide

      None

      Show
      None
    • n/a
    • Release Note Not Required

      Description of problem:

         HostedControl plane platforms have different methods to replace the API/OAUTH/INGRESS certificates where this should be documented. 
      
      The traditional OCP product uses the below documentation to replace the certificates: 
      
      # Replace ingress certificate
      
      https://docs.openshift.com/container-platform/4.15/security/certificates/replacing-default-ingress-certificate.html
      
      # Add custom certificate to the API server
      
      https://docs.openshift.com/container-platform/4.15/security/certificates/api-server.html
      
      The HCP has different NOT SUPPORTED steps where the certificates should be mentioned in the following HostedCluster CRD. In this case, the oauth route certificate should be replaced as well which is different from OCP:
      
      
          configuration:
            apiServer:
              servingCerts:
                namedCertificates:
                - names:
                  - api.<your-hcp-cluster-domain>
                  servingCertificate:
                    name: secret-cert-api
                - names:
                  - <your-hcp-cluster-oauth-route>
                  servingCertificate:
                    name: secret-cert-oauth
      
      Where we should have 2 secrets, one per certificate (API and OAUTH). Also, we need to clarify if the hostedclusters will have the ingress certificate replaced as mentioned in the traditional OCP platforms. 
      
      We need to clarify that the API certificate replacement has some drawbacks considering while the https://issues.redhat.com/browse/OCPSTRAT-1516 is not implemented: 
      
      - It may requires the hosted cluster reinstallation when the feature https://issues.redhat.com/browse/OCPSTRAT-1516 is implemented
      - The HCP kubeconfig does not reconcile automatically with the new configured certificates
      - OCP console 'copy login command' does not work as expected with the updated certificates
        

      Version-Release number of selected component (if applicable):

          

      How reproducible:

          

      Steps to Reproduce:

          1.
          2.
          3.
          

      Actual results:

          

      Expected results:

          

      Additional info:

          

              rhn-support-lahinson Laura Hinson
              rhn-support-bgomes Bruno Gomes
              Jie Zhao Jie Zhao
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: