Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-714

Provide Detailed Administrative Control of all OCP Certs and Keys

XMLWordPrintable

    • 18% To Do, 18% In Progress, 64% Done
    • XL
    • False
    • Hide

      None

      Show
      None

      Outcome Overview
       
      This outcome aims to identify and address any difference in the OCP keys & cert management of the OCP internal platform components. 
       
      All cluster-level operators must provide the following capabilities:  

      1. Automatic recovery for expired certificates (on boot & disaster recovery) for control plane and cluster operators
      2. Have a CI test for the manual cert rotation process
      3. Default to at least 2048 bits certs
      4. Deprecate the use of weak ciphers. Default to strong ciphers
      5. Clean and revoke old signer
      6. Automated rotation of keys & certs
      7. The certificate should NOT be valid for more than 24 months (avoid 10yr certs). Replaced by the ability for OCP core components to recover from expired certificates (e.g., if the cluster has been shut down or in hibernation for 90 days).
      8. Ability to regenerate top-level CA
      9. Certificate Ownership (OCPSTRAT-709), remove cert-generation code from the installer
      10. [Dependant on Enhancement Porposal] Provide hooks for cluster-level API to trigger cert rotation as day-2 operation (OCPSTRAT-817)
      11. Have CI tests validating all previous points

       

      [Red Hat Internal document] List of operators that should have these capabilities.

       

      Success Criteria

      This outcome will be considered completed once the core cluster operators have achieved the same capabilities and level of testing.

       

      For the Outcome card to be feature complete, the platform should have the capabilities described in the previous section.

       

      Expected Results (what, how, when)

      This outcome will have an incremental delivery. Part of this work started with the FIPS CVE [1] and will continue during the subsequent few releases.

      [1] https://access.redhat.com/articles/regenerating_cluster_certificates

       

      Post Completion Review – Actual Results

      The list at the beginning of this card should serve as the check list.

       

              racedoro@redhat.com Ramon Acedo
              wcabanba@redhat.com William Caban
              David Eads David Eads
              Adel Zaalouk, Anjali Telang, Daniel Fröhlich, Daniel Messer, Marc Curry, Maria Simon Marcos, Mark Russell, Ramon Acedo
              Tushar Katarki Tushar Katarki
              Votes:
              1 Vote for this issue
              Watchers:
              26 Start watching this issue

                Created:
                Updated: