MVH

Appearance

Replacing the CA Bundle Certificate

This guide explains how to update the cluster-wide CA bundle to trust custom certificate authorities, which is necessary when using custom certificates that are not signed by recognised public authorities for the API server or ingress controllers.

Prerequisites

  • Access to the ARO cluster with cluster-admin privileges
  • The oc CLI tool installed and configured
  • Your custom CA certificate file (e.g., ca-bundle.crt)

Update the CA Bundle

1. Create a ConfigMap with your CA certificate

Create a ConfigMap in the openshift-config namespace containing your custom CA bundle:

IMPORTANT

If using windows, ensure the certificate file uses LF line endings. Convert from CRLF to LF if needed.

Bash:

bash
oc create configmap custom-ca \
  --from-file=ca-bundle.crt=/path/to/ca-bundle.crt \
  -n openshift-config

Alternative - Using a YAML manifest:

yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: custom-ca
  namespace: openshift-config
data:
  ca-bundle.crt: |
    -----BEGIN CERTIFICATE-----
    Your custom CA certificate bundle content here
    -----END CERTIFICATE-----

Apply the manifest:

bash
oc apply -f custom-ca-configmap.yaml

2. Update the cluster-wide proxy configuration

Patch the cluster proxy configuration to reference the newly created ConfigMap:

bash
oc patch proxy/cluster \
  --type=merge \
  --patch='{"spec":{"trustedCA":{"name":"custom-ca"}}}'
powershell
oc patch proxy/cluster --type=merge --patch '{\"spec\":{\"trustedCA\":{\"name\":\"custom-ca\"}}}'

3. Verify the configuration

Check that the proxy configuration has been updated:

bash
oc get proxy/cluster -o yaml

Wait for the cluster operators to reconcile the changes:

bash
oc get clusteroperators

Working with Certificate Chains

If you have a certificate file that contains multiple certificates (main certificate + chain), you may need to split them:

Split certificate chain from main certificate

Method 1 - Simple AWK script:

bash
awk 'BEGIN{main=1} /BEGIN CERTIFICATE/{if(!first++){main=1}else{main=0}} {print > (main?"main_certificate.pem":"chain_certificates.pem")}' aro-prd-we.pem

Method 2 - More verbose AWK script:

bash
awk '
/^-----BEGIN CERTIFICATE-----$/ {
    cert_type = (++cert_count == 1) ? "main_certificate.pem" : "chain_certificates.pem";
}
{ 
    if ($0 ~ /^-----BEGIN CERTIFICATE-----$/ || $0 ~ /^-----END CERTIFICATE-----$/ || $0 ~ /^[A-Za-z0-9\/+]+=*$/) {
        print > cert_type;
    }
}
' aro-prd-we.pem

Combine certificates

If you need to create a full certificate chain:

bash
cat main_certificate.pem chain_certificates.pem > full_chain.pem

Convert certificate format

If needed, convert the chain certificate to PEM format:

bash
openssl x509 -in chain_certificates.pem -out chain_certificates_fixed.pem -outform PEM

Create ConfigMap from chain certificate

To use only the chain certificates for the CA bundle:

bash
oc create configmap custom-ca \
  --from-file=ca-bundle.crt=chain_certificates.pem \
  -n openshift-config

Troubleshooting

Verify certificate contents:

bash
openssl x509 -in ca-bundle.crt -text -noout

Check ConfigMap:

bash
oc get configmap custom-ca -n openshift-config -o yaml

View cluster proxy status:

bash
oc describe proxy/cluster

Documentation

Official OpenShift Documentation