Proxy certificates

    The field of the Proxy object is a reference to a config map that contains a user-provided trusted certificate authority (CA) bundle. This bundle is merged with the Fedora CoreOS (FCOS) trust bundle and injected into the trust store of platform components that make egress HTTPS calls. For example, image-registry-operator calls an external image registry to download images. If trustedCA is not specified, only the FCOS trust bundle is used for proxied HTTPS connections. Provide custom CA certificates to the FCOS trust bundle if you want to use your own certificate infrastructure.

    The trustedCA field should only be consumed by a proxy validator. The validator is responsible for reading the certificate bundle from required key ca-bundle.crt and copying it to a config map named in the openshift-config-managed namespace. The namespace for the config map referenced by trustedCA is openshift-config:

    Managing proxy certificates during installation

    The additionalTrustBundle value of the installer configuration is used to specify any proxy-trusted CA certificates during installation. For example:

    Example output

    The user-provided trust bundle is represented as a config map. The config map is mounted into the file system of platform components that make egress HTTPS calls. Typically, Operators mount the config map to , but this is not required by the proxy. A proxy can modify or inspect the HTTPS connection. In either case, the proxy must generate and sign a new certificate for the connection.

    Complete proxy support means connecting to the specified proxy and trusting any signatures it has generated. Therefore, it is necessary to let the user specify a trusted root, such that any certificate chain connected to that trusted root is also trusted.

    See in the Red Hat Enterprise Linux documentation for more information.

    Expiration

    The user sets the expiration term of the user-provided trust bundle.

    The default expiration term is defined by the CA certificate itself. It is up to the CA administrator to configure this for the certificate before it can be used by OKD or FCOS.

    By default, all platform components that make egress HTTPS calls will use the FCOS trust bundle. If trustedCA is defined, it will also be used.

    Any service that is running on the FCOS node is able to use the trust bundle of the node.

    Management

    Updating the user-provided trust bundle consists of either:

    • updating the PEM-encoded certificates in the config map referenced by trustedCA, or

    The mechanism for writing CA certificates to the FCOS trust bundle is exactly the same as writing any other file to FCOS, which is done through the use of machine configs. When the Machine Config Operator (MCO) applies the new machine config that contains the new CA certificates, the node is rebooted. During the next boot, the service coreos-update-ca-trust.service runs on the FCOS nodes, which automatically update the trust bundle with the new CA certificates. For example:

    The trust store of machines must also support updating the trust store of nodes.

    Renewal

    There are no Operators that can auto-renew certificates on the FCOS nodes.