Bug 1473006 - [RFE] Extend service signing certs to support JKS certificates / stores [NEEDINFO]
[RFE] Extend service signing certs to support JKS certificates / stores
Status: NEW
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE (Show other bugs)
Unspecified Unspecified
urgent Severity high
: ---
: ---
Assigned To: Derek Carr
Xiaoli Tian
Depends On:
  Show dependency treegraph
Reported: 2017-07-19 16:13 EDT by Travis Rogers
Modified: 2018-03-07 08:14 EST (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
bparees: needinfo? (ccoleman)
bparees: needinfo? (deads)
bparees: needinfo? (jliggitt)
erich: needinfo? (decarr)

Attachments (Terms of Use)

  None (edit)
Description Travis Rogers 2017-07-19 16:13:46 EDT
Would like to be able to drive pod creation via templates that supports the creation of JKS based certificates for middleware product containers.  The middleware product containers from Red Hat refer to JKS based certs/stores in pod templates.  Currently, certificate and keystore/truststore creation is a manual process outside of Openshift.  It would be nice to be able to encapsulate the certificate and stores creation into the template definition.  This could also lend to secrets being defined and populated in the templates as well.
Comment 1 Ben Parees 2017-07-19 16:39:43 EDT
As discussed on IRC, I don't think templates is the right place to solve this.  This functionality would be useful to people creating resources via other means, and it's a natural extension to the existing service serving certs feature.

Adding Clayton and David to the discussion.
Comment 2 Ben Parees 2017-07-19 16:41:24 EDT
Note that the reason service serving certs were deemed insufficient for the use case is that middleware needs a cert w/ the external route hostname.
Comment 4 Eric Rich 2017-07-19 17:51:59 EDT
Extending https://github.com/openshift/origin/tree/master/pkg/template/generator should allow for this to be possible.
Comment 5 Eric Rich 2017-07-24 10:52:29 EDT
I wonder if this could be solved with pod-presets in some way:

Comment 6 Ben Parees 2017-07-24 10:54:38 EDT
service signing certs supposedly support routes now.  not sure if it's been doc'd anywhere.
Comment 7 Eric Rich 2017-07-24 11:15:23 EDT
(In reply to Ben Parees from comment #6)
> service signing certs supposedly support routes now.  not sure if it's been
> doc'd anywhere.

Not yet documented, at least not part of https://docs.openshift.org/latest/dev_guide/secrets.html#service-serving-certificate-secrets

Note You need to log in before you can comment on or make changes to this bug.