Bug 1269558
| Summary: | [RFE] Allow the OpenShift Master to use a different certificate for public urls | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Wesley Hearn <whearn> |
| Component: | Documentation | Assignee: | Vikram Goyal <vigoyal> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Vikram Goyal <vigoyal> |
| Severity: | medium | Docs Contact: | Vikram Goyal <vigoyal> |
| Priority: | unspecified | ||
| Version: | 3.0.0 | CC: | agrimm, aos-bugs, erich, jliggitt, jokerman, mmccomas, vigoyal, whearn |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-06-17 10:26:40 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1303130 | ||
|
Description
Wesley Hearn
2015-10-07 14:37:50 UTC
Custom certificates can be set for both public and private hostnames with named certificates. https://docs.openshift.com/enterprise/3.1/install_config/install/advanced_install.html#advanced-install-custom-certificates When a custom certificate is used for a private hostname, the CA for the custom certificate must be included in the trusted bundle distributed to nodes and used by the master. The certificate-generating commands allow including a custom CA bundle (added in https://github.com/openshift/origin/pull/7839, ansible work to make use of that tracked in https://github.com/openshift/openshift-ansible/issues/1535) To use a custom certificate for the master IP (not an SNI hostname), the primary certificate would have to be replaced. That will work as long as the custom certificate includes all the same subjectAltNames as the default cert, and also requires providing the custom CA bundle. (In reply to Jordan Liggitt from comment #2) Do you have what you need, to consider this closed? If not what more do you need, Tooling, more documentation? Yeah, AFAIK we are set on our end related to this. I am moving this over to documentation, as the OSE docs simply need to pull in updates from Origin, to correct this request. @Vikram, can you look at prioritizing this? (In reply to Eric Rich from comment #5) > I am moving this over to documentation, as the OSE docs simply need to pull > in updates from Origin, to correct this request. > > @Vikram, can you look at prioritizing this? If I understand this correctly, this feature is available in Enterprise 3.2 (current release)? If yes, then I will schedule it in for a docs update. Thanks! It looks that way. Jordan can you confirm? I can confirm for him
servingInfo:
bindAddress: 0.0.0.0:443
bindNetwork: tcp4
certFile: master.server.crt
clientCA: ca.crt
keyFile: master.server.key
maxRequestsInFlight: 500
namedCertificates:
- certFile: /etc/origin/master/named_certificates/wildcard.clusterid.openshift.com.crt
keyFile: /etc/origin/master/named_certificates/wildcard.clusterid.openshift.com.key
names:
- api.clusterid.openshift.com
- console.clusterid.openshift.com
requestTimeoutSeconds: 3600
it's been available since 3.1, and is referenced in the docs for both 3.1 and 3.2 (In reply to Jordan Liggitt from comment #9) > it's been available since 3.1, and is referenced in the docs for both 3.1 > and 3.2 If this is already in the docs, then nothing more needs to be done from the docs point of view. Eric - is that ok with you? |