Bug 1269558 - [RFE] Allow the OpenShift Master to use a different certificate for public urls
[RFE] Allow the OpenShift Master to use a different certificate for public urls
Status: CLOSED CURRENTRELEASE
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation (Show other bugs)
3.0.0
Unspecified Unspecified
unspecified Severity medium
: ---
: ---
Assigned To: Vikram Goyal
Vikram Goyal
Vikram Goyal
:
Depends On:
Blocks: OSOPS_V3
  Show dependency treegraph
 
Reported: 2015-10-07 10:37 EDT by Wesley Hearn
Modified: 2016-06-17 06:26 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-06-17 06:26:40 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Wesley Hearn 2015-10-07 10:37:50 EDT
Description of problem:
I would like to have a common signed cert that handles the public aspect of the openshift-master(api and console endpoints)

Version-Release number of selected component (if applicable):
openshift-master-3.0.2.0-0.git.16.4d626fe.el7ose.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
A single certificate that is tied to both the external and internal IP and DNS names.

Expected results:
A certificate for the public IP/DNS names(that can be signed by a CA) (used for access to the cluster)
a certificate for the private IP address(self signed/generate by OpenShift) (used for kubernetes and other openshift related connections)

Additional info:
Comment 2 Jordan Liggitt 2016-05-06 09:38:32 EDT
Custom certificates can be set for both public and private hostnames with named certificates. https://docs.openshift.com/enterprise/3.1/install_config/install/advanced_install.html#advanced-install-custom-certificates

When a custom certificate is used for a private hostname, the CA for the custom certificate must be included in the trusted bundle distributed to nodes and used by the master. The certificate-generating commands allow including a custom CA bundle (added in https://github.com/openshift/origin/pull/7839, ansible work to make use of that tracked in https://github.com/openshift/openshift-ansible/issues/1535)

To use a custom certificate for the master IP (not an SNI hostname), the primary certificate would have to be replaced. That will work as long as the custom certificate includes all the same subjectAltNames as the default cert, and also requires providing the custom CA bundle.
Comment 3 Eric Rich 2016-06-16 09:36:51 EDT
(In reply to Jordan Liggitt from comment #2)

Do you have what you need, to consider this closed? If not what more do you need, Tooling, more documentation?
Comment 4 Wesley Hearn 2016-06-16 09:49:21 EDT
Yeah, AFAIK we are set on our end related to this.
Comment 5 Eric Rich 2016-06-16 09:53:41 EDT
I am moving this over to documentation, as the OSE docs simply need to pull in updates from Origin, to correct this request. 

@Vikram, can you look at prioritizing this?
Comment 6 Vikram Goyal 2016-06-16 21:52:26 EDT
(In reply to Eric Rich from comment #5)
> I am moving this over to documentation, as the OSE docs simply need to pull
> in updates from Origin, to correct this request. 
> 
> @Vikram, can you look at prioritizing this?

If I understand this correctly, this feature is available in Enterprise 3.2 (current release)?

If yes, then I will schedule it in for a docs update. Thanks!
Comment 7 Eric Rich 2016-06-16 22:32:15 EDT
It looks that way. Jordan can you confirm?
Comment 8 Wesley Hearn 2016-06-16 22:46:07 EDT
I can confirm for him 

servingInfo:
  bindAddress: 0.0.0.0:443
  bindNetwork: tcp4
  certFile: master.server.crt
  clientCA: ca.crt
  keyFile: master.server.key
  maxRequestsInFlight: 500
  namedCertificates:
  - certFile: /etc/origin/master/named_certificates/wildcard.clusterid.openshift.com.crt
    keyFile: /etc/origin/master/named_certificates/wildcard.clusterid.openshift.com.key
    names:
    - api.clusterid.openshift.com
    - console.clusterid.openshift.com
  requestTimeoutSeconds: 3600
Comment 9 Jordan Liggitt 2016-06-16 22:48:13 EDT
it's been available since 3.1, and is referenced in the docs for both 3.1 and 3.2
Comment 10 Vikram Goyal 2016-06-16 23:04:53 EDT
(In reply to Jordan Liggitt from comment #9)
> it's been available since 3.1, and is referenced in the docs for both 3.1
> and 3.2

If this is already in the docs, then nothing more needs to be done from the docs point of view. Eric - is that ok with you?

Note You need to log in before you can comment on or make changes to this bug.