Red Hat Bugzilla – Bug 1269558
[RFE] Allow the OpenShift Master to use a different certificate for public urls
Last modified: 2016-06-17 06:26:40 EDT
Description of problem:
I would like to have a common signed cert that handles the public aspect of the openshift-master(api and console endpoints)
Version-Release number of selected component (if applicable):
Steps to Reproduce:
A single certificate that is tied to both the external and internal IP and DNS names.
A certificate for the public IP/DNS names(that can be signed by a CA) (used for access to the cluster)
a certificate for the private IP address(self signed/generate by OpenShift) (used for kubernetes and other openshift related connections)
Custom certificates can be set for both public and private hostnames with named certificates. https://docs.openshift.com/enterprise/3.1/install_config/install/advanced_install.html#advanced-install-custom-certificates
When a custom certificate is used for a private hostname, the CA for the custom certificate must be included in the trusted bundle distributed to nodes and used by the master. The certificate-generating commands allow including a custom CA bundle (added in https://github.com/openshift/origin/pull/7839, ansible work to make use of that tracked in https://github.com/openshift/openshift-ansible/issues/1535)
To use a custom certificate for the master IP (not an SNI hostname), the primary certificate would have to be replaced. That will work as long as the custom certificate includes all the same subjectAltNames as the default cert, and also requires providing the custom CA bundle.
(In reply to Jordan Liggitt from comment #2)
Do you have what you need, to consider this closed? If not what more do you need, Tooling, more documentation?
Yeah, AFAIK we are set on our end related to this.
I am moving this over to documentation, as the OSE docs simply need to pull in updates from Origin, to correct this request.
@Vikram, can you look at prioritizing this?
(In reply to Eric Rich from comment #5)
> I am moving this over to documentation, as the OSE docs simply need to pull
> in updates from Origin, to correct this request.
> @Vikram, can you look at prioritizing this?
If I understand this correctly, this feature is available in Enterprise 3.2 (current release)?
If yes, then I will schedule it in for a docs update. Thanks!
It looks that way. Jordan can you confirm?
I can confirm for him
- certFile: /etc/origin/master/named_certificates/wildcard.clusterid.openshift.com.crt
it's been available since 3.1, and is referenced in the docs for both 3.1 and 3.2
(In reply to Jordan Liggitt from comment #9)
> it's been available since 3.1, and is referenced in the docs for both 3.1
> and 3.2
If this is already in the docs, then nothing more needs to be done from the docs point of view. Eric - is that ok with you?