ocpbugs-8882: configure an addditionl clientca for the openshiftapi server

nalhadef · nalhadef · commit 28b0e1677124 · 2023-10-25T11:51:23.000-04:00
diff --git a/modules/configure-an-additional-clientCA.adoc b/modules/configure-an-additional-clientCA.adoc
@@ -0,0 +1,24 @@
+// Module included in the following assemblies:
+//
+// * security/certificates/api-server.adoc
+
+:_content-type: PROCEDURE
+[id="configure-an-additional-clientCA-for-the-OpenShift-API-server_{context}"]
+= Configure an additional clientCA for the OpenShift API server
+
+. Import the CA certificate in a configmap of the openshift-config namespace. The CA file must be in PEM format.
++
+[source,terminal]
+----
+oc create configmap client-ca-custom -n openshift-config --from-file=ca-bundle.crt=ca.crt
+----
++
+.Patch the APIServer instance.
++
+[source, terminal]
+----
+oc patch apiserver cluster --type=merge -p '{"spec": {"clientCA": {"name": "client-ca-custom"}}}'
+----
+
+After adding the new CA, any API request providing an x.509 client certificate signed by the new CA and matching a valid user is successfully authenticated.
+
diff --git a/modules/configure-certificates-api-add-named.adoc b/modules/configure-certificates-api-add-named.adoc
@@ -0,0 +1,26 @@
+// Module included in the following assemblies:
+//
+// * security/certificates/api-server.adoc
+
+:_content-type: PROCEDURE
+[id="configure-an-additional-clientca-for-the-openshift-api-server_{context}"]
+= Configure an additional clientCA for the OpenShift API server
+
+. Import the CA certificate in a configmap of the openshift-config namespace. The CA file must be in PEM format.
++
+[source,terminal]
+----
+$ oc create configmap client-ca-custom -n openshift-config --from-file=ca-bundle.crt=ca.crt
+----
+
+. Patch the APIServer instance.
++
+[source,terminal]
+----
+$oc patch apiserver cluster --type=merge -p '{"spec": {"clientCA": {"name": "client-ca-custom"}}}'
+----
+
+. Import the CA certificate in a configmap of the openshift-config namespace. The CA file must be in PEM format.
+
+After adding the new CA, any API request providing an x.509 client certificate signed by the new CA and matching a valid user is successfully authenticated.
+
diff --git a/security/certificates/api-server.adoc b/security/certificates/api-server.adoc
@@ -12,3 +12,4 @@ API server's certificate by default. This certificate can be replaced
 by one that is issued by a CA that clients trust.
 
 include::modules/customize-certificates-api-add-named.adoc[leveloffset=+1]
+include::modules/configure-certificates-api-add-named.adoc[leveloffset=+1]

Original file line number	Diff line number	Diff line change
`@@ -12,3 +12,4 @@ API server's certificate by default. This certificate can be replaced`
`12`	`12`	`by one that is issued by a CA that clients trust.`
`13`	`13`
`14`	`14`	`include::modules/customize-certificates-api-add-named.adoc[leveloffset=+1]`
	`15`	`+include::modules/configure-certificates-api-add-named.adoc[leveloffset=+1]`