Bug 1420097

Summary: [RFE] Use the Customer provided CA for all of the certificates for OpenShift
Product: OpenShift Container Platform Reporter: Eric Jones <erjones>
Component: RFEAssignee: Scott Dodson <sdodson>
Status: CLOSED WONTFIX QA Contact: Xiaoli Tian <xtian>
Severity: low Docs Contact:
Priority: high    
Version: 3.4.0CC: aos-bugs, cscribne, erich, jokerman, jrfuller, knewcomer, mbarrett, mmccomas, mmckinst, mnozell, myllynen, sdodson, stwalter
Target Milestone: ---   
Target Release: 3.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-02 14:38:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eric Jones 2017-02-07 19:54:14 UTC 
- What is the nature and description of the request? 
As an admin I require the ability to Use my own CA for all of the certificates within the cluster. This includes all of the certs used by etcd, and between each ssytem in the cluster.

- Why does the customer need this? (List the business requirements here) 
The do not feel the security of the OpenShift signed certificates is high enough to be properly safe.

- How would the customer like to achieve this? (List the functional requirements here) 
One suggestion was to potentially run an Ansible playbook to generate all the required CSR's, let the customer send the CSR's to their CA. When the certificates are generated they are placed in a directory where Ansible can find them while running installation, update, or expansion playbooks.

- Is there already an existing RFE upstream or in Red Hat Bugzilla?
Not that I could easily find.
Comment 21 Scott Dodson 2019-04-02 14:38:56 UTC 
https://blog.openshift.com/considerations-on-openshift-pkis-and-certificates/ outlines the supported aspects of CA configuration. No further work on using a provided CA will be delivered.