How to configure an additional clientCA for the OpenShift API server
Environment
- Red Hat OpenShift Container Platform (RHOCP)
- 4
Issue
- A new trusted client Certification Authority for API requests needs to be added
Resolution
Following the steps to add an additional CA:
- Import the CA certificate in a configmap of the
openshift-confignamespace. The CA file must be in PEM format
$ oc create configmap client-ca-custom -n openshift-config --from-file=ca-bundle.crt=ca.crt
- Patch the APIServer instance
$ oc patch apiserver cluster --type=merge -p '{"spec": {"clientCA": {"name": "client-ca-custom"}}}'
After adding the new CA, any API request which is providing an x.509 client certificate signed by the new CA and is matching a valid user will be successfully authenticated.
Root Cause
Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or its entities, products, or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.
Please refer to the upstream Kubernetes documentation Content from kubernetes.io is not included.kubernetes.io - Authentication - X.509 client certificates for more details about client certificates.
Diagnostic Steps
A new APIServer clientCA can be added via the RHOCP API, which is referenced in the RHOCP 4.12 documentation
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.