Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-693

Implement Rotation Procedure for Hypershift Cluster CAs/Certs/Keys

XMLWordPrintable

    • Proactive Architecture
    • False
    • Hide

      None

      Show
      None
    • False
    • XCMSTRAT-276(P0) ROSA HCP Critical Features + Bugs
    • 50% To Do, 0% In Progress, 50% Done
    • 9
    • 0

      Problem & Overview

      Currently, the existing procedure for full rotation of all cluster CAs/certs/keys is not suitable for Hypershift. Several oc helper commands added for this flow are not functional in Hypershift. Therefore, a separate and tailored procedure is required specifically for Hypershift post its General Availability (GA) stage.

       

      Background

      Most of the rotation procedure can be performed on the management side, given the decoupling between the control-plane and workers in the HyperShift architecture.

      That said, it is important to ensure and assess the potential impacts on customers and guests during the rotation process, especially on how they affect SLOs and disruption budgets. 

       

      Why care? 

      • Additional Security: Regular rotation of cluster CAs/certs/keys is essential for maintaining a secure environment. Adapting the rotation procedure for Hypershift ensures that security measures align with its specific requirements and limitations.
      • Compliance and Governance: Maintaining compliance(e.g., FIPS). Rotating certificates produced by non-compliant modules in Hypershift clusters is essential to align with FIPS requirements and mitigate future compliance risks...

            azaalouk Adel Zaalouk
            azaalouk Adel Zaalouk
            William Caban
            Jie Zhao Jie Zhao
            Matthew Werner Matthew Werner
            David Eads David Eads
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated: