Description of problem

The HyperShift documentation for configuring the Kube API server (kubeapi-server page) documents how to configure custom serving certificates via spec.configuration.apiServer.servingCerts.namedCertificates, but fails to mention that this same configuration also applies to the OAuth server.

In HyperShift, both KAS and OAuth use the same GetNamedCertificates() function which reads from APIServer.ServingCerts.NamedCertificates:

• KAS: control-plane-operator/controllers/hostedcontrolplane/v2/kas/config.go:76
• OAuth: control-plane-operator/controllers/hostedcontrolplane/v2/oauth/config.go:66

This is a significant deviation from standard OpenShift where:

• KAS certificates are configured via apiserver.config.openshift.io resource
• OAuth certificates are configured separately via Ingress componentRoutes

Users familiar with OCP will not find OAuth certificate configuration documented anywhere in HyperShift docs.

Version-Release number of selected component (if applicable)

All HyperShift versions - documentation issue

How reproducible

Always

Steps to Reproduce

• Visit https://hypershift.pages.dev/how-to/configure-ocp-components/kubeapi-server/
• Read the documentation about namedCertificates configuration
• Search for any mention of OAuth or coupling between KAS and OAuth certificates
• Visit https://hypershift.pages.dev/how-to/configure-ocp-components/
• Check the OAuth section for any serving certificate configuration

   

Actual results

• The KAS documentation only mentions KAS, with no indication it also affects OAuth
• The OAuth documentation section only covers identity providers (OpenID, etc.)
• There is no documentation about configuring custom OAuth serving certificates
• The coupling between KAS and OAuth certificate configuration is not documented
• The difference from standard OCP behavior is not mentioned

Expected results

Documentation should:

• Clearly state in the KAS section that namedCertificates applies to both KAS and OAuth servers
• Add an OAuth serving certificate configuration section explaining how to configure custom OAuth certificates
• Note the deviation from standard OCP where OAuth uses Ingress componentRoutes mechanism
• Provide an example of configuring certificates for OAuth hostname

Additional info

Related feature request: OCPSTRAT-2549 - Support configuring certificates to OAuth in hosted clusters

Code references:

• clusterconfig.go:45-50: GetNamedCertificates() reads from APIServer.ServingCerts.NamedCertificates
• oauth/config.go:66: OAuth uses the same named certificates
• kas/config.go:76: KAS uses the same named certificates

Suggested documentation additions:

For KAS page, add a note:

Note: The namedCertificates configuration applies to both the Kubernetes API Server and the OAuth server. Certificates matching the OAuth endpoint hostname will be served by the OAuth server. This differs from standalone OpenShift, where OAuth certificates are configured separately via the Ingress operator's componentRoutes.

For OAuth section, add:

Configuring OAuth Server Certificates

To configure custom serving certificates for the OAuth server, use spec.configuration.apiServer.servingCerts.namedCertificates with hostnames matching your OAuth endpoint.