Will verify later
Verified in 4.9.0: Creating a customer apiserver cert (below openssl commands refer to https://github.com/giantswarm/grumpy/blob/instance_migration/gen_certs.sh): # CREATE THE PRIVATE KEY FOR OUR CUSTOM CA openssl genrsa -out certs/ca.key 2048 # GENERATE A CA CERT WITH THE PRIVATE KEY openssl req -new -x509 -key certs/ca.key -out certs/ca.crt -config certs/ca_config.txt # CREATE THE PRIVATE KEY FOR OUR SERVER openssl genrsa -out certs/apiserver.key 2048 # CREATE A CSR FROM THE CONFIGURATION FILE AND OUR PRIVATE KEY SERVER_HOST=`oc whoami --show-server | grep -o 'api[^:]*'` openssl req -new -key certs/apiserver.key -subj "/CN=$SERVER_HOST" -out apiserver.csr -config certs/grumpy_config.txt # CREATE THE CERT SIGNING THE CSR WITH THE CA CREATED BEFORE openssl x509 -req -in apiserver.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial -out certs/apiserver.crt oc create secret tls api-certs --cert=apiserver.crt --key=apiserver.key -n openshift-config oc patch --type=merge apiserver/cluster -p " spec: servingCerts: namedCertificates: - servingCertificate: name: api-certs " Wait for kube-apiserver to finish rollout. Then enter masters, check: # ls -lrt /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/ ... drwxr-xr-x. 2 root root 36 Oct 15 14:15 user-serving-cert-000 # ls -l /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/user-serving-cert-000 -rw-------. 1 root root 1675 Oct 15 14:15 tls.key -rw-------. 1 root root 1261 Oct 15 14:15 tls.crt They have same 600 permission
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.9.4 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:3935