Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-6853

Allow custom certificates for platform routes (Console, Oauth, Downloads) to live in different namespace than openshift-config

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • cert-manager
    • None
    • Product / Portfolio Work
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      1. Proposed title of this feature request

      Allow custom certificates for platform routes (Console, Oauth, Downloads) to live in a different namespace than openshift-config

      2. What is the nature and description of the request?

      Currently, users can configure custom certificates for the platform routes by following existing docs[1], the Ingress resource expects secrets containing the custom TLS certificates to live within the openshift-config namespace. 

      This behavior impacts users using an automated cert management solution like Cert-Manager, which will create the certificates in the namespace where the CertificateRequest was created. 

      Users can copy secrets from one namespace to the other as a workaround, but this is not convenient.

      [1] https://docs.openshift.com/container-platform/4.17/web_console/customizing-the-web-console.html#customizing-the-console-route_customizing-web-console

      3. Why does the customer need this? (List the business requirements here)

      To be able to use custom certificates defined in secrets outside openshift-config namespace.

      4. List any affected packages or components.

      Ingress Operator

      A longer explanation of the use case we've been tested. 

      With CertManager we can create a Certificate like this:

      apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: custom-console-cert
  namespace: openshift-console
  annotations:
    acme.cert-manager.io/http01-edit-in-place: "true"
spec:
  privateKey:
    rotationPolicy: "Always"
  duration: "1h"
  dnsNames:
  - 'openshift-console.apps.mycluster.com'
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: marioca-acme
  secretName: custom-console-cert
  usages:
  - digital signature
  - key encipherment

      In this case, a route will be created in the namespace "openshift-console" to respond to the ACME HTTP01 challenge, after the challenge passes, a TLS keypair will be store in the secret "custom-console-cert", we want to use this certificate as our custom cert for the console. We modify the APIServer:

      apiVersion: config.openshift.io/v1
kind: Ingress
metadata:
  name: cluster
spec: 
  componentRoutes:
  - name: console 
    namespace: openshift-console
    hostname: 'openshift-console.apps.mycluster.com' 
    servingCertKeyPairSecret: 
      name: custom-console-cert

      In this case, the cert-manager generated certificate will not exist in the namespace "openshift-config" so configuration will fail. We will need a solution where the Ingress operator looks for the right namespace automatically or allows to define a specific namespace for each secret referenced in the configuration.

              racedoro@redhat.com Ramon Acedo
              mavazque@redhat.com Mario Vazquez Cebrian
              None
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated:
                None
                None