Skip to content
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Commit 9740719

Browse files
committedJun 6, 2022
bz2062068 updating CA bundle certificates
additional changes xref update adoc not html xref fix fixed travis build error sme feedback peer review feedback
1 parent 4f28202 commit 9740719

File tree

6 files changed

+90
-0
lines changed

6 files changed

+90
-0
lines changed
 

‎_topic_maps/_topic_map.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -739,6 +739,8 @@ Topics:
739739
File: api-server
740740
- Name: Securing service traffic using service serving certificates
741741
File: service-serving-certificate
742+
- Name: Updating the CA bundle
743+
File: updating-ca-bundle
742744
- Name: Certificate types and descriptions
743745
Dir: certificate_types_descriptions
744746
Distros: openshift-enterprise,openshift-origin

‎modules/ca-bundle-replacing.adoc

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
// Module included in the following assemblies:
2+
//
3+
// * security/certificates/updating-ca-bundle.adoc
4+
5+
:_content-type: PROCEDURE
6+
[id="ca-bundle-replacing_{context}"]
7+
= Replacing the CA Bundle certificate
8+
9+
.Procedure
10+
11+
. Create a config map that includes the root CA certificate used to sign the wildcard certificate:
12+
+
13+
[source,terminal]
14+
----
15+
$ oc create configmap custom-ca \
16+
--from-file=ca-bundle.crt=</path/to/example-ca.crt> \//<1>
17+
-n openshift-config
18+
----
19+
<1> `</path/to/example-ca.crt>` is the path to the CA certificate bundle on your local file system.
20+
21+
. Update the cluster-wide proxy configuration with the newly created config map:
22+
+
23+
[source,terminal]
24+
----
25+
$ oc patch proxy/cluster \
26+
--type=merge \
27+
--patch='{"spec":{"trustedCA":{"name":"custom-ca"}}}'
28+
----

‎modules/ca-bundle-understanding.adoc

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
// Module included in the following assemblies:
2+
//
3+
// * security/certificates/updating-ca-bundle.adoc
4+
5+
:_content-type: SNIPPET
6+
[id="ca-bundle-understanding_{context}"]
7+
= Understanding the CA Bundle certificate
8+
9+
Proxy certificates allow users to specify one or more custom certificate authority (CA) used by platform components when making egress connections.
10+
11+
The `trustedCA` field of the Proxy object is a reference to a config map that contains a user-provided trusted certificate authority (CA) bundle. This bundle is merged with the {op-system-first} trust bundle and injected into the trust store of platform components that make egress HTTPS calls. For example, `image-registry-operator` calls an external image registry to download images. If `trustedCA` is not specified, only the {op-system} trust bundle is used for proxied HTTPS connections. Provide custom CA certificates to the {op-system} trust bundle if you want to use your own certificate infrastructure.
12+
13+
The `trustedCA` field should only be consumed by a proxy validator. The validator is responsible for reading the certificate bundle from required key `ca-bundle.crt` and copying it to a config map named `trusted-ca-bundle` in the `openshift-config-managed` namespace. The namespace for the config map referenced by `trustedCA` is `openshift-config`:
14+
15+
[source,yaml]
16+
----
17+
apiVersion: v1
18+
kind: ConfigMap
19+
metadata:
20+
name: user-ca-bundle
21+
namespace: openshift-config
22+
data:
23+
ca-bundle.crt: |
24+
-----BEGIN CERTIFICATE-----
25+
Custom CA certificate bundle.
26+
-----END CERTIFICATE-----
27+
----

‎networking/enable-cluster-wide-proxy.adoc

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,3 +22,10 @@ For installations on Amazon Web Services (AWS), Google Cloud Platform (GCP), Mic
2222
include::modules/nw-proxy-configure-object.adoc[leveloffset=+1]
2323

2424
include::modules/nw-proxy-remove.adoc[leveloffset=+1]
25+
26+
[discrete]
27+
[role="_additional-resources"]
28+
== Additional resources
29+
30+
* xref:../security/certificates/updating-ca-bundle.adoc#ca-bundle-understanding_updating-ca-bundle[Replacing the CA Bundle certificate]
31+
* xref:../security/certificate_types_descriptions/proxy-certificates.adoc#customization[Proxy certificate customization]

‎security/certificates/replacing-default-ingress-certificate.adoc

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,3 +9,10 @@ toc::[]
99
include::modules/customize-certificates-understanding-default-router.adoc[leveloffset=+1]
1010

1111
include::modules/customize-certificates-replace-default-router.adoc[leveloffset=+1]
12+
13+
[discrete]
14+
[role="_additional-resources"]
15+
== Additional resources
16+
17+
* xref:../../security/certificates/updating-ca-bundle.adoc#ca-bundle-understanding_updating-ca-bundle[Replacing the CA Bundle certificate]
18+
* xref:../../security/certificate_types_descriptions/proxy-certificates.adoc#customization[Proxy certificate customization]
Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
:_content-type: ASSEMBLY
2+
[id="updating-ca-bundle"]
3+
= Updating the CA bundle
4+
include::_attributes/common-attributes.adoc[]
5+
:context: updating-ca-bundle
6+
7+
toc::[]
8+
9+
include::modules/ca-bundle-understanding.adoc[leveloffset=+1]
10+
11+
include::modules/ca-bundle-replacing.adoc[leveloffset=+1]
12+
13+
[discrete]
14+
[role="_additional-resources"]
15+
== Additional resources
16+
17+
* xref:../../security/certificates/replacing-default-ingress-certificate.adoc#replacing-default-ingress_replacing-default-ingress[Replacing the default ingress certificate]
18+
* xref:../../networking/enable-cluster-wide-proxy.adoc#nw-proxy-configure-object_config-cluster-wide-proxy[Enabling the cluster-wide proxy]
19+
* xref:../../security/certificate_types_descriptions/proxy-certificates.adoc#customization[Proxy certificate customization]

0 commit comments

Comments
 (0)
Please sign in to comment.