You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: security/certificate_types_descriptions/machine-config-operator-certificates.adoc
+28-4Lines changed: 28 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,24 +8,48 @@ toc::[]
8
8
9
9
== Purpose
10
10
11
-
Machine Config Operator certificates are used to secure connections between the Red Hat Enterprise Linux CoreOS (RHCOS) nodes and the Machine Config Server.
11
+
This certificate authority is used to secure connections from nodes to Machine Config Server (MCS) during initial provisioning.
12
+
13
+
There are two certificates:
14
+
. A self-signed CA, the MCS CA
15
+
. A derived certificate, the MCS cert
16
+
17
+
=== Provisioning details
18
+
19
+
{product-title} installations that use {op-system-first} are installed by using Ignition. This process is split into two parts:
20
+
21
+
. An Ignition config is created that references a URL for the full configuration served by the MCS.
22
+
. For user-provisioned infrastucture installation methods, the Ignition config manifests as a `worker.ign` file created by the `openshift-install` command. For installer-provisioned infrastructure installation methods that use the Machine API Operator, this configuration appears as the `worker-user-data` secret.
12
23
13
24
include::snippets/mcs-endpoint-limitation.adoc[]
14
25
15
26
.Additional resources
16
27
28
+
* xref:../../post_installation_configuration/machine-configuration-tasks.adoc#understanding-the-machine-config-operator[Understanding the Machine Config Operator].
29
+
17
30
* xref:../../networking/openshift_sdn/about-openshift-sdn.adoc#about-openshift-sdn[About the OpenShift SDN network plugin].
18
31
32
+
=== Provisioning chain of trust
33
+
34
+
The MCS CA is injected into the Ignition configuration under the `security.tls.certificateAuthorities` configuration field. The MCS then provides the complete configuration using the MCS cert presented by the web server.
35
+
36
+
The client validates that the MCS cert presented by the server has a chain of trust to an authority it recognizes. In this case, the MCS CA is that authority, and it signs the MCS cert. This ensures that the client is accessing the correct server. The client in this case is Ignition running on a machine in the initramfs.
37
+
38
+
=== Key material inside a cluster
39
+
40
+
The MCS CA appears in the cluster as a config map in the `kube-system` namespace, `root-ca` object, with `ca.crt` key. The private key is not stored in the cluster and is discarded after the installation completes.
41
+
42
+
The MCS cert appears in the cluster as a secret in the `openshift-machine-config-operator` namespace and `machine-config-server-tls` object with the `tls.crt` and `tls.key` keys.
19
43
20
44
== Management
21
45
22
-
These certificates are managed by the system and not the user.
46
+
At this time, directly modifying either of these certificates is not supported.
23
47
24
48
== Expiration
25
-
This CA is valid for 10 years.
49
+
The MCS CA is valid for 10 years.
26
50
27
51
The issued serving certificates are valid for 10 years.
28
52
29
53
== Customization
30
54
31
-
You cannot customize the Machine Config Operator certificates.
55
+
You cannot customize the Machine Config Operator certificates.
0 commit comments