MVH

Appearance

Replacing the CA Bundle Certificate

This guide explains how to update the cluster-wide CA bundle to trust custom certificate authorities, which is necessary when using custom certificates for the API server or ingress controllers.

Prerequisites

  • Access to the ARO cluster with cluster-admin privileges
  • The oc CLI tool installed and configured
  • Your custom CA certificate file (e.g., ca-bundle.crt)

Update the CA Bundle

1. Create a ConfigMap with your CA certificate

Create a ConfigMap in the openshift-config namespace containing your custom CA bundle:

IMPORTANT

If using windows, ensure the certificate file uses LF line endings. Convert from CRLF to LF if needed.

Bash:

bash
oc create configmap custom-ca \
  --from-file=ca-bundle.crt=/path/to/ca-bundle.crt \
  -n openshift-config

Alternative - Using a YAML manifest:

yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: custom-ca
  namespace: openshift-config
data:
  ca-bundle.crt: |
    -----BEGIN CERTIFICATE-----
    Your custom CA certificate bundle content here
    -----END CERTIFICATE-----

Apply the manifest:

bash
oc apply -f custom-ca-configmap.yaml

2. Update the cluster-wide proxy configuration

Patch the cluster proxy configuration to reference the newly created ConfigMap:

bash
oc patch proxy/cluster \
  --type=merge \
  --patch='{"spec":{"trustedCA":{"name":"custom-ca"}}}'
powershell
oc patch proxy/cluster --type=merge --patch '{\"spec\":{\"trustedCA\":{\"name\":\"custom-ca\"}}}'

3. Verify the configuration

Check that the proxy configuration has been updated:

bash
oc get proxy/cluster -o yaml

Wait for the cluster operators to reconcile the changes:

bash
oc get clusteroperators

Working with Certificate Chains

If you have a certificate file that contains multiple certificates (main certificate + chain), you may need to split them:

Split certificate chain from main certificate

Method 1 - Simple AWK script:

bash
awk 'BEGIN{main=1} /BEGIN CERTIFICATE/{if(!first++){main=1}else{main=0}} {print > (main?"main_certificate.pem":"chain_certificates.pem")}' aro-prd-we.pem

Method 2 - More verbose AWK script:

bash
awk '
/^-----BEGIN CERTIFICATE-----$/ {
    cert_type = (++cert_count == 1) ? "main_certificate.pem" : "chain_certificates.pem";
}
{ 
    if ($0 ~ /^-----BEGIN CERTIFICATE-----$/ || $0 ~ /^-----END CERTIFICATE-----$/ || $0 ~ /^[A-Za-z0-9\/+]+=*$/) {
        print > cert_type;
    }
}
' aro-prd-we.pem

Combine certificates

If you need to create a full certificate chain:

bash
cat main_certificate.pem chain_certificates.pem > full_chain.pem

Convert certificate format

If needed, convert the chain certificate to PEM format:

bash
openssl x509 -in chain_certificates.pem -out chain_certificates_fixed.pem -outform PEM

Create ConfigMap from chain certificate

To use only the chain certificates for the CA bundle:

bash
oc create configmap custom-ca \
  --from-file=ca-bundle.crt=chain_certificates.pem \
  -n openshift-config

Troubleshooting

Verify certificate contents:

bash
openssl x509 -in ca-bundle.crt -text -noout

Check ConfigMap:

bash
oc get configmap custom-ca -n openshift-config -o yaml

View cluster proxy status:

bash
oc describe proxy/cluster

Documentation

Official OpenShift Documentation