Description of problem: I would like to have a common signed cert that handles the public aspect of the openshift-master(api and console endpoints) Version-Release number of selected component (if applicable): openshift-master-3.0.2.0-0.git.16.4d626fe.el7ose.x86_64 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: A single certificate that is tied to both the external and internal IP and DNS names. Expected results: A certificate for the public IP/DNS names(that can be signed by a CA) (used for access to the cluster) a certificate for the private IP address(self signed/generate by OpenShift) (used for kubernetes and other openshift related connections) Additional info:
Custom certificates can be set for both public and private hostnames with named certificates. https://docs.openshift.com/enterprise/3.1/install_config/install/advanced_install.html#advanced-install-custom-certificates When a custom certificate is used for a private hostname, the CA for the custom certificate must be included in the trusted bundle distributed to nodes and used by the master. The certificate-generating commands allow including a custom CA bundle (added in https://github.com/openshift/origin/pull/7839, ansible work to make use of that tracked in https://github.com/openshift/openshift-ansible/issues/1535) To use a custom certificate for the master IP (not an SNI hostname), the primary certificate would have to be replaced. That will work as long as the custom certificate includes all the same subjectAltNames as the default cert, and also requires providing the custom CA bundle.
(In reply to Jordan Liggitt from comment #2) Do you have what you need, to consider this closed? If not what more do you need, Tooling, more documentation?
Yeah, AFAIK we are set on our end related to this.
I am moving this over to documentation, as the OSE docs simply need to pull in updates from Origin, to correct this request. @Vikram, can you look at prioritizing this?
(In reply to Eric Rich from comment #5) > I am moving this over to documentation, as the OSE docs simply need to pull > in updates from Origin, to correct this request. > > @Vikram, can you look at prioritizing this? If I understand this correctly, this feature is available in Enterprise 3.2 (current release)? If yes, then I will schedule it in for a docs update. Thanks!
It looks that way. Jordan can you confirm?
I can confirm for him servingInfo: bindAddress: 0.0.0.0:443 bindNetwork: tcp4 certFile: master.server.crt clientCA: ca.crt keyFile: master.server.key maxRequestsInFlight: 500 namedCertificates: - certFile: /etc/origin/master/named_certificates/wildcard.clusterid.openshift.com.crt keyFile: /etc/origin/master/named_certificates/wildcard.clusterid.openshift.com.key names: - api.clusterid.openshift.com - console.clusterid.openshift.com requestTimeoutSeconds: 3600
it's been available since 3.1, and is referenced in the docs for both 3.1 and 3.2
(In reply to Jordan Liggitt from comment #9) > it's been available since 3.1, and is referenced in the docs for both 3.1 > and 3.2 If this is already in the docs, then nothing more needs to be done from the docs point of view. Eric - is that ok with you?