emsecrist
Flight Engineer
Flight Engineer
  • 609 Views

Question about Cert used for cluster wide proxy

In the Guided Exercise Chapter 6 Section 2, in steps 5 and 6, a new configmap is created with a file that contains two certificates. The first certificate in the file is the wildcard and api certificate, and the second certificate is the classroom CA certificate. The cluster proxy is then modified to use the new configmap.

In the Openshift Documentation found at the link below under the "Procedure" section, Step 1 states to "Create a config map that includes only the root CA certificate used to sign the wildcard certificate". 

https://docs.openshift.com/container-platform/4.10/security/certificates/replacing-default-ingress-c...

The steps in the Guided exercise differ with the OpenShift documentation, because the Guided Exercise uses a combined cert (wildcard and api cert + the root CA cert) for the configmap for the Proxy cert, and the OpenShift Documentation states to only use the root CA cert for the configmap for the Proxy cert. 

The Guided Exercise steps seem to work fine, but I find it confusing that the "official" OpenShift documentation states to only use the root CA certificate for the proxy configmap.

6 Replies
BRaj
Mission Specialist
Mission Specialist
  • 520 Views

yes, you are right that document is differs from the guided exercise. The configmap is used to update the proxy cluster where as document is highlighting about only replacing the default ingress certificate. I think they are seperate discussions.

emsecrist
Flight Engineer
Flight Engineer
  • 506 Views

Thanks for the response. Updating the configmap for the proxy cluster is part of the procedure of updating the ingress certificate so they are not completely separate procedures.

0 Kudos
Chetan_Tiwary_
Moderator
Moderator
  • 515 Views

@emsecrist @BRaj Thanks for taking your time and reporting this here. Let me check it offline with the concerned team and will update once I have a concrete information regarding this. 

 

0 Kudos
emsecrist
Flight Engineer
Flight Engineer
  • 351 Views

hello @Chetan_Tiwary_ - did you ever get any concrete information about this? Thanks

Chetan_Tiwary_
Moderator
Moderator
  • 319 Views

@emsecrist Thanks for reminding about this - I did document this query with the documentation link and sent it to the curriculum team - but I think I missed to check it back. 

Let me recheck on this ( It might take longer time given the holidays ).

0 Kudos
Chetan_Tiwary_
Moderator
Moderator
  • 269 Views

@emsecrist I got an update from the curriculum team that :

"The documentation linked also says:

> The certificate file can contain one or more certificates in a chain. The wildcard certificate must be the first certificate in the file. It can then be followed with any intermediate certificates, and the file should end with the root CA certificate.

> I think the "only" in the procedure is not meant to be "authoritative", because the same documentation page says a certificate chain can be used.

> IMHO, things are correct as it stands- we could ask the documentation to remove the "only", but I think that's not strictly necessary. I would suggest closing this issue. "

@alexcorcoles 

0 Kudos
Join the discussion
You must log in to join this conversation.