Feature Overview

Provide the capability to configure OAuth certificates for Hosted Clusters.

Currently, there is no apparent mechanism to manage these certificates. Customers require this to ensure valid, trusted certificates are presented during the user authentication process and, more broadly, to manage their Hosted Cluster's OAuth certificates in a scalable manner.

This primarily affects the Hosted Cluster OAuth certs component.

E2E Testing and Documentation

HyperShift code includes options to do this. This feature should add e2e testing and documentation for it.

See relevant code:

https://github.com/openshift/hypershift/blob/77142f36d13ff6ddfb39fa1038c1b63dbf58e297/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/config.go#L66 

https://github.com/openshift/hypershift/blob/7ed7eb9d6f4e331efdb697a6cca88f428a4b322d/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/clusterconfig.go#L45 

Notes:

bluddy and lszaszki@redhat.com  checked how apiServer.spec.servingCerts is used in ocp. It appears that this field is used only by kas. For customising the oauth-server’s serving certificates, ocp has a different mechanism.The fact that the oauth-server on hcp uses apiServer.spec.servingCerts is probably a bug and another difference between the two products.