Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-3658

[Docs] - Request to rewrite the section Security.../Configuring Certificates

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • Documentation
    • False
    • None
    • False
    • Not Selected

      1. Proposed title of this feature request

      [Docs] Request to rewrite the section Security.../Configuring Certificates, to better inform customers about changing the certificates in OpenShift.

      2. What is the nature and description of the request?

      Looking at the documentation [1] I see that the sections could be misleading actions that are needed to configure custom certificates in OpenShift.

      •  "Replacing the default ingress certificate" - change the title to "Configuring the {default,custom}ingress certificate". The "replacing" might be causing issue that this docs is needed for rotating the custom certificates. The next section for the API, say "Adding API server certificates", which is better. And this also replaces the default api public certificate.
      • Adding section about Rotating certificates. If you need to replace the custom certificate with newer version, it should be mentioned in each section (ingress and api) that first what should be done is to add the CA signer (if renewed too) to the trustedCA bundle, so when the server cert is changed, the OpenShift will already trust it. Should be added as pre-task to the rotation as for ingress and as for API server.
      • Add note about the best practice when rotating the custom certificates to create new secret/configmap instead of replacing one. Let me explain: instead of replacing the "custom-ingress-certs" secret, it is better to create new secret "custom-ingress-cert-2023" and edit the apiserver/ingresscontroller object with new name. It allows for administrator to rollback in case the certificate or key are not correct. In case of rollback, admin would only change the CR with the old name, rather than recreate the secret from a backup.
      • Move the configuration of the trustedCA cluster-wide ca bundle to the section "Security and Compliance/Configuring Custom CA Bundle" from the previous location. It would be better to have them in one section.

      3. Why does the customer need this? (List the business requirements here)

      This is not customer specific, however, I've encounter couple of cases where the process of the changing certs was not correct (changing ingress or api first, before adding the ca bundle or not waiting for the MCO to rollout new CA to all the nodes and starting configuring the server certs) and causing the cluster to go into not ready state and control plane to crash.

      4. List any affected packages or components.
      docs

       [1] https://docs.openshift.com/container-platform/4.11/security/certificates/replacing-default-ingress-certificate.html

              sstout@redhat.com Stephanie Stout
              rhn-support-vwalek Vladislav Walek
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: