Feature Overview

We have a documented manual procedure https://access.redhat.com/articles/regenerating_cluster_certificates to rotate internal platform certificates. The platform should provide a declarative way to trigger this procedure. This feature creates a cluster-level API for the cluster admin to initiate that process.

This should allow cluster operators to watch this attribute for when a rotation is requested (e.g., "rotation requested") and report rotation status and progress (e.g., rotating, completed, failing). The concept is to provide a cluster-level certificate registry for the internal platform certificates.

Goals

Provide a source of truth for cluster certificates with a declarative API for triggering certificate rotation.

Requirements

• After the feature is implemented, CI-test should prevent the creation of cluster-level certificates not following the notifications for the cert rotation 

Out of Scope

High-level list of items that are out of scope.  Initial completion during Refinement status.

Background

Provide any additional context is needed to frame the feature.  Initial completion during Refinement status.

Customer Considerations

Provide any additional customer-specific considerations that must be made when designing and delivering the Feature.  Initial completion during Refinement status.

Documentation Considerations

Provide information that needs to be considered and planned so that documentation will meet customer needs.  Initial completion during Refinement status.

Interoperability Considerations

Which other projects and versions in our portfolio does this feature impact?  What interoperability test scenarios should be factored by the layered products?  Initial completion during Refinement status.