MVH

Appearance

Adding API server certificates

The default API server certificate is issued by an internal OpenShift Container Platform cluster CA. Clients outside the cluster will not be able to verify the API server's certificate by default. This certificate can be replaced by one that is issued by a CA that clients trust.

Add an API server named certificate

1. Login to the cluster

Login to your ARO cluster using the oc CLI with appropriate credentials.

2. Create secret

Create a TLS secret in the openshift-config namespace with your certificate and key:

bash
oc create secret tls aro-prd-we.example.com \
  --cert="aro-prd-we.pem" \
  --key="aro-prd-we.key" \
  -n openshift-config

Note: Replace aro-prd-we.example.com with your actual API server domain name, and use your actual certificate and key file names.

3. Update API server to reference secret

Update the API server configuration to use the new certificate:

bash
oc patch apiserver cluster --type=merge -p \
  '{"spec":{"servingCerts": {"namedCertificates": [{"names": ["api.aro-prd-we.example.com"], "servingCertificate": {"name": "aro-prd-we.example.com"}}]}}}'
powershell
oc patch apiserver cluster --type=merge -p '{\"spec\":{\"servingCerts\": {\"namedCertificates\": [{\"names\": [\"api.aro-prd-we.example.com\"], \"servingCertificate\": {\"name\": \"aro-prd-we.example.com\"}}]}}}'

You might need to restart the kube-apiserver pods to apply the changes:

bash
oc rollout restart deployment/apiserver -n openshift-apiserver

Verify the certificate is correctly presented using OpenSSL:

bash
echo QUIT | openssl s_client -connect api.aro-prd-we.example.com:6443 | \
  openssl x509 -noout -subject -issuer -startdate -enddate -fingerprint

4. Confirm reference

Verify the API server configuration and wait for the changes to be applied:

bash
oc get apiserver cluster -o yaml
oc get clusteroperators kube-apiserver

WARNING

Do not continue to the next step until PROGRESSING is listed as False in the kube-apiserver cluster operator status.

5. Debug the connection

If you encounter issues, use these commands to debug the certificate setup:

Check the TLS connection:

bash
openssl s_client -connect api.aro-prd-we.example.com:6443 -CAfile root-ca.pem

Verify certificate details:

bash
openssl x509 -in aro-prd-we.pem -text -noout

Test oc login with custom CA:

bash
oc login https://api.aro-prd-we.example.com:6443 \
  -u kubeadmin \
  -p <password> \
  --certificate-authority=/path/to/ca-bundle.crt \
  --loglevel=10

Test OAuth endpoint:

bash
curl -v https://oauth-openshift.apps.aro-prd-we.example.com/oauth/authorize \
  --cacert /path/to/ca-bundle.crt

Additional debugging commands:

bash
# Check authentication secrets
kubectl get secret -n openshift-authentication

# Check OAuth deployment status
oc rollout status deployment.apps/oauth-openshift -n openshift-authentication

# View certificate chain
openssl s_client -connect api.aro-prd-we.example.com:6443 -showcerts

# Extract and view authentication certificates
oc get secret v4-0-config-system-serving-cert -n openshift-authentication \
  -o jsonpath="{.data['tls\.crt']}" | base64 --decode

oc get secret v4-0-config-system-serving-cert -n openshift-authentication \
  -o jsonpath="{.data['tls\.key']}" | base64 --decode

Documentation

Official OpenShift Documentation