Updating the CA bundle

Understanding the CA Bundle certificate

Proxy certificates allow users to specify one or more custom certificate authority (CA) used by platform components when making egress connections.

The trustedCA field of the Proxy object is a reference to a config map that contains a user-provided trusted certificate authority (CA) bundle. This bundle is merged with the Fedora CoreOS (FCOS) trust bundle and injected into the trust store of platform components that make egress HTTPS calls. For example, image-registry-operator calls an external image registry to download images. If trustedCA is not specified, only the FCOS trust bundle is used for proxied HTTPS connections. Provide custom CA certificates to the FCOS trust bundle if you want to use your own certificate infrastructure.

The trustedCA field should only be consumed by a proxy validator. The validator is responsible for reading the certificate bundle from required key ca-bundle.crt and copying it to a config map named trusted-ca-bundle in the openshift-config-managed namespace. The namespace for the config map referenced by trustedCA is openshift-config:

  1. apiVersion: v1
  2. kind: ConfigMap
  3. metadata:
  4. name: user-ca-bundle
  5. namespace: openshift-config
  6. data:
  7. ca-bundle.crt: |
  8. -----BEGIN CERTIFICATE-----
  9. Custom CA certificate bundle.
  10. -----END CERTIFICATE-----

Replacing the CA Bundle certificate

Procedure

  1. Create a config map that includes the root CA certificate used to sign the wildcard certificate:

    1. $ oc create configmap custom-ca \
    2. --from-file=ca-bundle.crt=</path/to/example-ca.crt> \(1)
    3. -n openshift-config
    1</path/to/example-ca.crt> is the path to the CA certificate bundle on your local file system.
  2. Update the cluster-wide proxy configuration with the newly created config map:

    1. $ oc patch proxy/cluster \
    2. --type=merge \
    3. --patch='{"spec":{"trustedCA":{"name":"custom-ca"}}}'

Additional resources