-
Bug
-
Resolution: Done
-
Major
-
4.15
-
Important
-
None
-
5
-
OSDOCS Sprint 256, OSDOCS Sprint 257, OSDOCS Sprint 258
-
3
-
False
-
-
n/a
-
Release Note Not Required
Description of problem:
HostedControl plane platforms have different methods to replace the API/OAUTH/INGRESS certificates where this should be documented. The traditional OCP product uses the below documentation to replace the certificates: # Replace ingress certificate https://docs.openshift.com/container-platform/4.15/security/certificates/replacing-default-ingress-certificate.html # Add custom certificate to the API server https://docs.openshift.com/container-platform/4.15/security/certificates/api-server.html The HCP has different NOT SUPPORTED steps where the certificates should be mentioned in the following HostedCluster CRD. In this case, the oauth route certificate should be replaced as well which is different from OCP: configuration: apiServer: servingCerts: namedCertificates: - names: - api.<your-hcp-cluster-domain> servingCertificate: name: secret-cert-api - names: - <your-hcp-cluster-oauth-route> servingCertificate: name: secret-cert-oauth Where we should have 2 secrets, one per certificate (API and OAUTH). Also, we need to clarify if the hostedclusters will have the ingress certificate replaced as mentioned in the traditional OCP platforms. We need to clarify that the API certificate replacement has some drawbacks considering while the https://issues.redhat.com/browse/OCPSTRAT-1516 is not implemented: - It may requires the hosted cluster reinstallation when the feature https://issues.redhat.com/browse/OCPSTRAT-1516 is implemented - The HCP kubeconfig does not reconcile automatically with the new configured certificates - OCP console 'copy login command' does not work as expected with the updated certificates
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1. 2. 3.
Actual results:
Expected results:
Additional info: