Red Hat Bugzilla – Bug 1473006
[RFE] Extend service signing certs to support JKS certificates / stores
Last modified: 2018-03-07 08:14:28 EST
Would like to be able to drive pod creation via templates that supports the creation of JKS based certificates for middleware product containers. The middleware product containers from Red Hat refer to JKS based certs/stores in pod templates. Currently, certificate and keystore/truststore creation is a manual process outside of Openshift. It would be nice to be able to encapsulate the certificate and stores creation into the template definition. This could also lend to secrets being defined and populated in the templates as well.
As discussed on IRC, I don't think templates is the right place to solve this. This functionality would be useful to people creating resources via other means, and it's a natural extension to the existing service serving certs feature.
Adding Clayton and David to the discussion.
Note that the reason service serving certs were deemed insufficient for the use case is that middleware needs a cert w/ the external route hostname.
Extending https://github.com/openshift/origin/tree/master/pkg/template/generator should allow for this to be possible.
I wonder if this could be solved with pod-presets in some way:
service signing certs supposedly support routes now. not sure if it's been doc'd anywhere.
(In reply to Ben Parees from comment #6)
> service signing certs supposedly support routes now. not sure if it's been
> doc'd anywhere.
Not yet documented, at least not part of https://docs.openshift.org/latest/dev_guide/secrets.html#service-serving-certificate-secrets