1473006 – [RFE] Extend service signing certs to support JKS certificates / stores

Bug 1473006 - [RFE] Extend service signing certs to support JKS certificates / stores

Summary: [RFE] Extend service signing certs to support JKS certificates / stores

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	RFE
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Derek Carr
QA Contact:	Xiaoli Tian
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-07-19 20:13 UTC by Travis Rogers
Modified:	2019-06-12 11:58 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-12 11:58:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Travis Rogers 2017-07-19 20:13:46 UTC

Would like to be able to drive pod creation via templates that supports the creation of JKS based certificates for middleware product containers.  The middleware product containers from Red Hat refer to JKS based certs/stores in pod templates.  Currently, certificate and keystore/truststore creation is a manual process outside of Openshift.  It would be nice to be able to encapsulate the certificate and stores creation into the template definition.  This could also lend to secrets being defined and populated in the templates as well.

Comment 1 Ben Parees 2017-07-19 20:39:43 UTC

As discussed on IRC, I don't think templates is the right place to solve this.  This functionality would be useful to people creating resources via other means, and it's a natural extension to the existing service serving certs feature.

Adding Clayton and David to the discussion.

Comment 2 Ben Parees 2017-07-19 20:41:24 UTC

Note that the reason service serving certs were deemed insufficient for the use case is that middleware needs a cert w/ the external route hostname.

Comment 4 Eric Rich 2017-07-19 21:51:59 UTC

Extending https://github.com/openshift/origin/tree/master/pkg/template/generator should allow for this to be possible.

Comment 5 Eric Rich 2017-07-24 14:52:29 UTC

I wonder if this could be solved with pod-presets in some way:

https://bugzilla.redhat.com/show_bug.cgi?id=1366349
https://kubernetes.io/docs/tasks/inject-data-application/podpreset/

Comment 6 Ben Parees 2017-07-24 14:54:38 UTC

service signing certs supposedly support routes now.  not sure if it's been doc'd anywhere.

Comment 7 Eric Rich 2017-07-24 15:15:23 UTC

(In reply to Ben Parees from comment #6)
> service signing certs supposedly support routes now.  not sure if it's been
> doc'd anywhere.

Not yet documented, at least not part of https://docs.openshift.org/latest/dev_guide/secrets.html#service-serving-certificate-secrets

Comment 13 Kirsten Newcomer 2019-06-12 11:58:27 UTC

With the introduction of OpenShift 4, Red Hat has delivered or roadmapped a substantial number of features based on feedback by our customers.  Many of the enhancements encompass specific RFEs which have been requested, or deliver a comparable solution to a customer problem, rendering an RFE redundant.

This bz (RFE) has been identified as a feature request not yet planned or scheduled for an OpenShift release and is being closed. 

If this feature is still an active request that needs to be tracked, Red Hat Support can assist in filing a request in the new JIRA RFE system, as well as provide you with updates as the RFE progress within our planning processes. Please open a new support case: https://access.redhat.com/support/cases/#/case/new 

Opening a New Support Case: https://access.redhat.com/support/cases/#/case/new 

As the new Jira RFE system is not yet public, Red Hat Support can help answer your questions about your RFEs via the same support case system.

Note You need to log in before you can comment on or make changes to this bug.