Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-693

Implement Rotation Procedure for Hypershift Cluster CAs/Certs/Keys

    XMLWordPrintable

Details

    • False
    • Hide

      None

      Show
      None
    • False
    • XCMSTRAT-276(P0) ROSA HCP Critical Features + Bugs
    • 50
    • 50% 50%
    • 0
    • 0

    Description

      Problem & Overview

      Currently, the existing procedure for full rotation of all cluster CAs/certs/keys is not suitable for Hypershift. Several oc helper commands added for this flow are not functional in Hypershift. Therefore, a separate and tailored procedure is required specifically for Hypershift post its General Availability (GA) stage.

       

      Background

      Most of the rotation procedure can be performed on the management side, given the decoupling between the control-plane and workers in the HyperShift architecture.

      That said, it is important to ensure and assess the potential impacts on customers and guests during the rotation process, especially on how they affect SLOs and disruption budgets. 

       

      Why care? 

      • Additional Security: Regular rotation of cluster CAs/certs/keys is essential for maintaining a secure environment. Adapting the rotation procedure for Hypershift ensures that security measures align with its specific requirements and limitations.
      • Compliance and Governance: Maintaining compliance(e.g., FIPS). Rotating certificates produced by non-compliant modules in Hypershift clusters is essential to align with FIPS requirements and mitigate future compliance risks...

      Attachments

        Issue Links

          relates to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. HOSTEDCP-457 Implement CA Certificate Rotation

          • Critical - To be worked on immediately following BLOCKER issues.
          • New

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. HOSTEDCP-1256 Create a short lived signer with rotation for signing customer certs

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-855 Ensure HyperShift Deployed Components Meet New Cert Handling Criteria

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Backlog

          Activity

            People

              azaalouk Adel Zaalouk
              azaalouk Adel Zaalouk
              William Caban
              Yu Li (李宇) Yu Li (李宇)
              Stephanie Stout Stephanie Stout
              David Eads David Eads
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated: