You can specify custom certificates for the web console and for the CLI through the
servingInfo
section of the master
configuration file:
A default certificate must be configured in the servingInfo.certFile
and
servingInfo.keyFile
configuration sections in addition to
namedCertificates
.
|
The namedCertificates section should be configured for only the host name
associated with the masterPublicURL , assetConfig.publicURL , and
oauthConfig.assetPublicURL settings. Using a custom serving certificate for
the host name associated with the masterURL will result in TLS errors as
infrastructure components will attempt to contact the master API using the
internal masterURL host.
|
Custom Certificates Configuration
servingInfo:
logoutURL: ""
masterPublicURL: https://openshift.example.com:8443
publicURL: https://openshift.example.com:8443/console/
bindAddress: 0.0.0.0:8443
bindNetwork: tcp4
certFile: master.server.crt (1)
clientCA: ""
keyFile: master.server.key (1)
maxRequestsInFlight: 0
requestTimeoutSeconds: 0
namedCertificates:
- certFile: wildcard.example.com.crt (2)
keyFile: wildcard.example.com.key (2)
names:
- "openshift.example.com"
metricsPublicURL: "https://metrics.os.example.com/hawkular/metrics"
1 |
Path to certificate and key files for the CLI and other API calls. |
2 |
Path to certificate and key files for the web console. |
The openshift_master_cluster_public_hostname
and openshift_master_cluster_hostname
parameters in the Ansible inventory file, by default /etc/ansible/hosts
, must be different. If they are the same, the named certificates will fail and you will need to re-install them.
# Native HA with External LB VIPs
openshift_master_cluster_hostname=internal.paas.example.com
openshift_master_cluster_public_hostname=external.paas.example.com
This approach allows you to take advantage of the self-signed certificates generated by OKD and add custom trusted certificates to individual components as needed.
Note that the internal infrastructure certificates remain self-signed, which might be perceived as bad practice by some security or PKI teams. However, any risk here is minimal, as the only clients that trust these certificates are other components within the cluster. All external users and systems use custom trusted certificates.
Relative paths are resolved based on the location of the master configuration file. Restart
the server to pick up the configuration changes.