ocpbugs-8882: configure an addditionl clientca for the openshiftapi server

Author: nalhadef

modules/configure-an-additional-clientCA.adoc

@@ -0,0 +1,34 @@
+// Module included in the following assemblies:
+//
+// * security/certificates/api-server.adoc
+
+:_content-type: PROCEDURE
+[id="configure-an-additional-clientCA-for-the-OpenShift-API-server_{context}"]
+
+= Configure an additional clientCA for the OpenShift API server
+
+Optionally, you may choose to invalidate the installer-generated kubeconfig. You would do this when:
+* You don't trust who installed the cluster
+* The kubeconfig is leaked
+* Other security-related needs exist, such as periodic rotation of the kubeconfig
+
+To replace the installer-generated kubeconfig, remove the installer-generated clientCA from the API server
+
+. Import an additional CA certificate in a configmap of the openshift-config namespace. The CA file must be in PEM format.
++
+[source,terminal]
+----
+oc create configmap client-ca-custom -n openshift-config --from-file=ca-bundle.crt=ca.crt
+----
++
+. Patch the APIServer instance.
++
+[source, terminal]
+----
+oc patch apiserver cluster --type=merge -p '{"spec": {"clientCA": {"name": "client-ca-custom"}}}'
+----
+
+. Test the new clientCA certificate with a certificate signed from the new clientCA.
+. If the test is successful, you can remove the installer-generated clientCA.
+
+

modules/configure-certificates-api-add-named.adoc

@@ -0,0 +1,26 @@
+// Module included in the following assemblies:
+//
+// * security/certificates/api-server.adoc
+
+:_content-type: PROCEDURE
+[id="configure-an-additional-clientca-for-the-openshift-api-server_{context}"]
+= Configure an additional clientCA for the OpenShift API server
+
+. Import the CA certificate in a configmap of the openshift-config namespace. The CA file must be in PEM format.
++
+[source,terminal]
+----
+$ oc create configmap client-ca-custom -n openshift-config --from-file=ca-bundle.crt=ca.crt
+----
+
+. Patch the APIServer instance.
++
+[source,terminal]
+----
+$oc patch apiserver cluster --type=merge -p '{"spec": {"clientCA": {"name": "client-ca-custom"}}}'
+----
+
+. Import the CA certificate in a configmap of the openshift-config namespace. The CA file must be in PEM format.
+
+After adding the new CA, any API request providing an x.509 client certificate signed by the new CA and matching a valid user is successfully authenticated.
+

modules/customize-certificates-api-add-named.adoc

@@ -22,13 +22,6 @@ certificate for the API server FQDN must be the first certificate in the file.
 It can then be followed with any intermediate certificates, and the file should
 end with the root CA certificate.
 
-[WARNING]
-====
-Do not provide a named certificate for the internal load balancer (host
-name `api-int.<cluster_name>.<base_domain>`). Doing so will leave your
-cluster in a degraded state.
-====
-
 .Procedure
 
 . Login to the new API as the `kubeadmin` user.

security/certificates/api-server.adoc

@@ -12,3 +12,7 @@ API server's certificate by default. This certificate can be replaced
 by one that is issued by a CA that clients trust.
 
 include::modules/customize-certificates-api-add-named.adoc[leveloffset=+1]
+
+include::modules/configure-an-additional-clientCA.adoc[leveloffset=+1] 
+
+