Skip to content

[OSDOCS-14647]: Config custom API server cert for a hosted cluster #97081

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 13, 2025
Merged

[OSDOCS-14647]: Config custom API server cert for a hosted cluster #97081

merged 1 commit into from
Aug 13, 2025

Conversation

@lahinson
Copy link
Contributor

@lahinson lahinson commented Aug 4, 2025
edited
Loading

Version(s): 4.17+

Issue: https://issues.redhat.com/browse/OSDOCS-14647

Link to docs preview:

QE review:

  • QE has approved this change.

Additional information: This PR adds a procedure about configuring a custom API server certificate for a hosted cluster. It also corrects a few minor formatting issues ahead of the DITA migration.

@openshift-ci openshift-ci bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Aug 4, 2025
@ocpdocs-previewbot
Copy link

ocpdocs-previewbot commented Aug 4, 2025
edited
Loading

🤖 Wed Aug 13 13:42:38 - Prow CI generated the docs preview:

https://97081--ocpdocs-pr.netlify.app/openshift-enterprise/latest/hosted_control_planes/hcp-deploy/hcp-deploy-aws.html
https://97081--ocpdocs-pr.netlify.app/openshift-enterprise/latest/hosted_control_planes/hcp-deploy/hcp-deploy-bm.html
https://97081--ocpdocs-pr.netlify.app/openshift-enterprise/latest/hosted_control_planes/hcp-deploy/hcp-deploy-non-bm.html
https://97081--ocpdocs-pr.netlify.app/openshift-enterprise/latest/hosted_control_planes/hcp-deploy/hcp-deploy-virt.html
https://97081--ocpdocs-pr.netlify.app/openshift-enterprise/latest/security/certificates/api-server.html

@lahinson lahinson force-pushed the osdocs-14647-hcp-custom-certificates branch 2 times, most recently from 40dc9de to ecdd664 Compare August 4, 2025 18:04
@lahinson lahinson added this to the Continuous Release milestone Aug 4, 2025
@openshift-ci openshift-ci bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 4, 2025
@lahinson lahinson force-pushed the osdocs-14647-hcp-custom-certificates branch 2 times, most recently from aa97552 to 593c073 Compare August 7, 2025 16:25
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 7, 2025
@lahinson lahinson force-pushed the osdocs-14647-hcp-custom-certificates branch from 593c073 to 76aa0c4 Compare August 7, 2025 17:01
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 7, 2025
@lahinson lahinson force-pushed the osdocs-14647-hcp-custom-certificates branch from 76aa0c4 to 887bc67 Compare August 7, 2025 17:31
jparrill
jparrill reviewed Aug 11, 2025
View reviewed changes
Copy link

@jparrill jparrill left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dropped some comments. Thanks!

@lahinson lahinson force-pushed the osdocs-14647-hcp-custom-certificates branch from 887bc67 to e6ddc01 Compare August 11, 2025 14:22
jparrill
jparrill approved these changes Aug 11, 2025
View reviewed changes
Copy link

@jparrill jparrill left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Aug 11, 2025
@lahinson lahinson force-pushed the osdocs-14647-hcp-custom-certificates branch from e6ddc01 to 283a802 Compare August 11, 2025 15:10
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Aug 11, 2025
@lahinson lahinson force-pushed the osdocs-14647-hcp-custom-certificates branch from 283a802 to 7c126f1 Compare August 11, 2025 15:19
@jiezhao16
Copy link

jiezhao16 commented Aug 12, 2025

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Aug 12, 2025
@lahinson lahinson added the merge-review-needed Signifies that the merge review team needs to review this PR label Aug 12, 2025
@jeana-redhat jeana-redhat added the merge-review-in-progress Signifies that the merge review team is reviewing this PR label Aug 12, 2025
jeana-redhat
jeana-redhat approved these changes Aug 12, 2025
View reviewed changes
Copy link
Contributor

@jeana-redhat jeana-redhat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noticed a typo while scanning - nothing here blocks merge so you can choose how you'd like to proceed with that :)

/remove-label merge-review-in-progress
/remove-label merge-review-needed

modules/hcp-aws-create-secret-s3.adoc
Copy link
Contributor

@jeana-redhat jeana-redhat Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Out of scope (existing content) but at some point step 1 should probably be split into four substeps with a short explanation of what each command is doing.

Copy link
Contributor Author

@lahinson lahinson Aug 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree. I'll make a note of that.

modules/hcp-custom-cert.adoc Outdated
* You created a Kubernetes secret that contains your custom certificate in the management cluster. The secret contains the following keys:
** `tls.crt`: The certificate
** `tls.key`: They private key
Copy link
Contributor

@jeana-redhat jeana-redhat Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo

Suggested change
** `tls.key`: They private key
** `tls.key`: The private key

Copy link
Contributor Author

@lahinson lahinson Aug 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh my goodness. Thank you!

modules/hcp-custom-cert.adoc Outdated
** `tls.crt`: The certificate
** `tls.key`: They private key
* If your `HostedCluster` configuration includes a service publishing strategy that uses a load balancer, ensure that the Subject Alternative Names (SANs) of the certificate do not conflict with the internal API endpoint (`api-int`). The internal API endpoint is automatically created and managed by your platform. If you use the same hostname in both the custom certificate and the internal API endpoint, routing conflictcs can occur. The only exception to this rule is when you use {aws-short} as the provider with either Private or PublicAndPrivate configurations. In those cases, the SAN conflict is managed by the platform.
Copy link
Contributor

@jeana-redhat jeana-redhat Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these literals?

Suggested change
* If your `HostedCluster` configuration includes a service publishing strategy that uses a load balancer, ensure that the Subject Alternative Names (SANs) of the certificate do not conflict with the internal API endpoint (`api-int`). The internal API endpoint is automatically created and managed by your platform. If you use the same hostname in both the custom certificate and the internal API endpoint, routing conflictcs can occur. The only exception to this rule is when you use {aws-short} as the provider with either Private or PublicAndPrivate configurations. In those cases, the SAN conflict is managed by the platform.
* If your `HostedCluster` configuration includes a service publishing strategy that uses a load balancer, ensure that the Subject Alternative Names (SANs) of the certificate do not conflict with the internal API endpoint (`api-int`). The internal API endpoint is automatically created and managed by your platform. If you use the same hostname in both the custom certificate and the internal API endpoint, routing conflictcs can occur. The only exception to this rule is when you use {aws-short} as the provider with either `Private` or `PublicAndPrivate` configurations. In those cases, the SAN conflict is managed by the platform.

Copy link
Contributor Author

@lahinson lahinson Aug 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another good catch. Yes -- they should be in monospace font. Will fix.

@openshift-ci openshift-ci bot removed merge-review-in-progress Signifies that the merge review team is reviewing this PR merge-review-needed Signifies that the merge review team needs to review this PR labels Aug 12, 2025
@lahinson lahinson force-pushed the osdocs-14647-hcp-custom-certificates branch from 7c126f1 to a6d71b6 Compare August 13, 2025 13:33
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Aug 13, 2025
@openshift-ci
Copy link

openshift-ci bot commented Aug 13, 2025

New changes are detected. LGTM label has been removed.

@openshift-ci
Copy link

openshift-ci bot commented Aug 13, 2025

@lahinson: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@lahinson lahinson merged commit 942e32f into openshift:main Aug 13, 2025
2 checks passed
@lahinson
Copy link
Contributor Author

lahinson commented Aug 13, 2025

/cherrypick enterprise-4.17

@lahinson
Copy link
Contributor Author

lahinson commented Aug 13, 2025

/cherrypick enterprise-4.18

@lahinson
Copy link
Contributor Author

lahinson commented Aug 13, 2025

/cherrypick enterprise-4.19

@lahinson
Copy link
Contributor Author

lahinson commented Aug 13, 2025

/cherrypick enterprise-4.20

@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented Aug 13, 2025

@lahinson: #97081 failed to apply on top of branch "enterprise-4.17":

Applying: Config custom API server cert for a hosted cluster
.git/rebase-apply/patch:170: trailing whitespace.
To configure a custom certificate for the API server, specify the certificate details in the `spec.configuration.apiServer` section of your `HostedCluster` configuration. 
warning: 1 line adds whitespace errors.
Using index info to reconstruct a base tree...
M	hosted_control_planes/hcp-deploy/hcp-deploy-aws.adoc
M	hosted_control_planes/hcp-deploy/hcp-deploy-bm.adoc
M	hosted_control_planes/hcp-deploy/hcp-deploy-non-bm.adoc
M	hosted_control_planes/hcp-deploy/hcp-deploy-virt.adoc
M	security/certificates/api-server.adoc
Falling back to patching base and 3-way merge...
Auto-merging security/certificates/api-server.adoc
CONFLICT (content): Merge conflict in security/certificates/api-server.adoc
Auto-merging hosted_control_planes/hcp-deploy/hcp-deploy-virt.adoc
Auto-merging hosted_control_planes/hcp-deploy/hcp-deploy-non-bm.adoc
CONFLICT (content): Merge conflict in hosted_control_planes/hcp-deploy/hcp-deploy-non-bm.adoc
Auto-merging hosted_control_planes/hcp-deploy/hcp-deploy-bm.adoc
Auto-merging hosted_control_planes/hcp-deploy/hcp-deploy-aws.adoc
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0001 Config custom API server cert for a hosted cluster

In response to this:

/cherrypick enterprise-4.17

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented Aug 13, 2025

@lahinson: #97081 failed to apply on top of branch "enterprise-4.18":

Applying: Config custom API server cert for a hosted cluster
.git/rebase-apply/patch:170: trailing whitespace.
To configure a custom certificate for the API server, specify the certificate details in the `spec.configuration.apiServer` section of your `HostedCluster` configuration. 
warning: 1 line adds whitespace errors.
Using index info to reconstruct a base tree...
M	hosted_control_planes/hcp-deploy/hcp-deploy-aws.adoc
M	hosted_control_planes/hcp-deploy/hcp-deploy-bm.adoc
M	hosted_control_planes/hcp-deploy/hcp-deploy-non-bm.adoc
M	hosted_control_planes/hcp-deploy/hcp-deploy-virt.adoc
Falling back to patching base and 3-way merge...
Auto-merging hosted_control_planes/hcp-deploy/hcp-deploy-virt.adoc
Auto-merging hosted_control_planes/hcp-deploy/hcp-deploy-non-bm.adoc
CONFLICT (content): Merge conflict in hosted_control_planes/hcp-deploy/hcp-deploy-non-bm.adoc
Auto-merging hosted_control_planes/hcp-deploy/hcp-deploy-bm.adoc
Auto-merging hosted_control_planes/hcp-deploy/hcp-deploy-aws.adoc
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0001 Config custom API server cert for a hosted cluster

In response to this:

/cherrypick enterprise-4.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented Aug 13, 2025

@lahinson: new pull request created: #97502

In response to this:

/cherrypick enterprise-4.19

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Aug 13, 2025
Merged
@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented Aug 13, 2025

@lahinson: new pull request created: #97503

In response to this:

/cherrypick enterprise-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Aug 13, 2025
Merged
This was referenced Aug 13, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeana-redhat jeana-redhat jeana-redhat approved these changes

+1 more reviewer

@jparrill jparrill jparrill approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@jparrill jparrill

@jiezhao16 jiezhao16

Labels

branch/enterprise-4.17 branch/enterprise-4.18 branch/enterprise-4.19 branch/enterprise-4.20 size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

Continuous Release

Development

Successfully merging this pull request may close these issues.

7 participants

@lahinson @ocpdocs-previewbot @jiezhao16 @openshift-cherrypick-robot @jparrill @jeana-redhat @openshift-merge-robot