-
Feature Request
-
Resolution: Done
-
Normal
-
None
-
openshift-4.11.z
-
False
-
None
-
False
-
Not Selected
-
-
-
-
1. Proposed title of this feature request
Rotated Service Signer certificates cross-signed by old CA
2. What is the nature and description of the request?
Customers are using service serving certificates to secure services within OpenShift Container Platform. As we describe in the documentation, these CAs and certificates are rotated automatically. Customers are often adding the Service Signer CA certificate to their base image so it can be used by applications (Java Keystore, ...).
When the Service CA certificate is rotated automatically, the corresponding certificates in users namespaces are regenerated automatically as well (when the user is using "service.beta.openshift.io/inject-cabundle") with the new CA, as is expected.
However, when customers have added the Service Signer CA certificate to their base image, this leads to the situation that these new certificates are not being trusted by the still running containers, as they do not know about the new Service Signer CA certificate. This leads to a disruption whenever the Service Signer CA is rotated. The customer needs to be aware of the rotation, update their base image and rebuild all their container images. This is not ideal.
This request asks to have a mechanism that customers can use the newly generated Service Signer certificates until the original Service Signer CA certificate expires to avoid this issue. For example, the newly rotated certificates could be cross-signed by both the new and the old Service Signer CA.
Then, customers still need to add the new Service Signer CA certificate to their base image, however they have until the old CA expires to do this. Images will typically be rebuilt during this time.
3. Why does the customer need this? (List the business requirements here)
Avoiding business disruption when the Service Signer CA is rotated. Not all applications can dynamically reload certificates and CAs during runtime, this RFE would resolve this issue.
4. List any affected packages or components.
service-ca controller