Description of problem:
I'm not actually sure if OperatorPKI should be exposed to users? But it appears in `oc api-resources` output, and each CRD in that output ideally provides API information when a user enters `oc explain <CRD>`.
Steps to Reproduce:
`oc explain OperatorPKI`
A description of what this CRD is for.
I haven't gotten the impression that this CRD is relevant to a user; Is it possible to remove it from the list of advertised APIs? To date, I've only seen `Network.operator` and `Network.config` as user-facing. I'm unfamiliar with the OperatorPKI CRD.
(I'm not sure what is the proper sub-component for this BZ.)
Verified this bug on 4.6.0-0.nightly-2020-09-23-022756
oc explain OperatorPKI
OperatorPKI is a simple certificate authority. It is not intended for
external use - rather, it is internal to the network operator. The CNO
creates a CA and a certificate signed by that CA. The certificate has both
ClientAuth and ServerAuth extended usages enabled. More specifically, given
an OperatorPKI with <name>, the CNO will manage: - A Secret called
<name>-ca with two data keys: - tls.key - the private key - tls.crt - the
CA certificate - A ConfigMap called <name>-ca with a single data key: -
cabundle.crt - the CA certificate(s) - A Secret called <name>-cert with two
data keys: - tls.key - the private key - tls.crt - the certificate, signed
by the CA The CA certificate will have a validity of 10 years, rotated
after 9. The target certificate will have a validity of 6 months, rotated
after 3 The CA certificate will have a CommonName of
"<namespace>_<name>-ca@<timestamp>", where <timestamp> is the last rotation
APIVersion defines the versioned schema of this representation of an
object. Servers should convert recognized schemas to the latest internal
value, and may reject unrecognized values. More info:
Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client submits
requests to. Cannot be updated. In CamelCase. More info:
Standard object's metadata. More info:
spec <Object> -required-
OperatorPKISpec is the PKI configuration.
OperatorPKIStatus is not implemented.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.