-
Outcome
-
Resolution: Unresolved
-
Critical
-
None
-
None
-
18% To Do, 18% In Progress, 64% Done
-
XL
-
False
-
Outcome Overview
This outcome aims to identify and address any difference in the OCP keys & cert management of the OCP internal platform components.
All cluster-level operators must provide the following capabilities:
- Automatic recovery for expired certificates (on boot & disaster recovery) for control plane and cluster operators
- Have a CI test for the manual cert rotation process
- Default to at least 2048 bits certs
- Deprecate the use of weak ciphers. Default to strong ciphers
- Clean and revoke old signer
- Automated rotation of keys & certs
The certificate should NOT be valid for more than 24 months (avoid 10yr certs).Replaced by the ability for OCP core components to recover from expired certificates (e.g., if the cluster has been shut down or in hibernation for 90 days).- Ability to regenerate top-level CA
- Certificate Ownership (OCPSTRAT-709), remove cert-generation code from the installer
[Dependant on Enhancement Porposal] Provide hooks for cluster-level API to trigger cert rotation as day-2 operation (OCPSTRAT-817)- Have CI tests validating all previous points
[Red Hat Internal document] List of operators that should have these capabilities.
Success Criteria
This outcome will be considered completed once the core cluster operators have achieved the same capabilities and level of testing.
For the Outcome card to be feature complete, the platform should have the capabilities described in the previous section.
Expected Results (what, how, when)
This outcome will have an incremental delivery. Part of this work started with the FIPS CVE [1] and will continue during the subsequent few releases.
[1] https://access.redhat.com/articles/regenerating_cluster_certificates
Post Completion Review – Actual Results
The list at the beginning of this card should serve as the check list.
- blocks
-
OCPSTRAT-319 Hitless automatic defrag of etcd
- In Progress
-
OCPSTRAT-775 Auto-reconfigure Kubelet on cluster name or domain change
- Closed
-
OCPSTRAT-774 Auto-reconfigure APIServer on cluster name or domain change
- Closed
-
OCPSTRAT-778 Auto-reconfigure AUTH on cluster name or domain change
- Closed
- is blocked by
-
API-1603 Fallback (Protocol) for Emergency Certificate Rotation
- Testing
-
OCPSTRAT-1395 Automated control-plane recovery from expired certificates (hibernation)
- In Progress
-
OCPSTRAT-721 Workload owned certificates created by workload-code
- Closed
- is depended on by
-
RFE-3719 Allow cluster-admin to delay kube-apiserver rollout time on SNO
- Rejected
- relates to
-
RFE-5494 Track skew related to a cluster's born-in version
- Accepted
-
OCPSTRAT-855 Ensure HyperShift Deployed Components Meet New Cert Handling Criteria
- Backlog
-
OCPSTRAT-620 OCP reconfiguration
- Closed
- links to