Bug 1420097 - [RFE] Use the Customer provided CA for all of the certificates for OpenShift
Summary: [RFE] Use the Customer provided CA for all of the certificates for OpenShift
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.11.0
Assignee: Scott Dodson
QA Contact: Xiaoli Tian
Depends On:
TreeView+ depends on / blocked
Reported: 2017-02-07 19:54 UTC by Eric Jones
Modified: 2021-09-09 12:07 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-04-02 14:38:56 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Eric Jones 2017-02-07 19:54:14 UTC
- What is the nature and description of the request? 
As an admin I require the ability to Use my own CA for all of the certificates within the cluster. This includes all of the certs used by etcd, and between each ssytem in the cluster.

- Why does the customer need this? (List the business requirements here) 
The do not feel the security of the OpenShift signed certificates is high enough to be properly safe.

- How would the customer like to achieve this? (List the functional requirements here) 
One suggestion was to potentially run an Ansible playbook to generate all the required CSR's, let the customer send the CSR's to their CA. When the certificates are generated they are placed in a directory where Ansible can find them while running installation, update, or expansion playbooks.

- Is there already an existing RFE upstream or in Red Hat Bugzilla?
Not that I could easily find.

Comment 21 Scott Dodson 2019-04-02 14:38:56 UTC
https://blog.openshift.com/considerations-on-openshift-pkis-and-certificates/ outlines the supported aspects of CA configuration. No further work on using a provided CA will be delivered.

Note You need to log in before you can comment on or make changes to this bug.