You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add CA issuer, hub-spoke trust config, and root CA monitoring
Adds CA ClusterIssuer for disconnected environments with existing PKI,
KlusterletConfig for hub-spoke CA trust distribution, and root CA
expiration monitoring via ACM Policy.
The KlusterletConfig with UseCustomCABundles ensures spokes trust the
hub's root CA (CA:TRUE) instead of the leaf serving cert (CA:FALSE).
This makes cert rotations seamless and eliminates the chicken-and-egg
problem where spokes can't receive ManifestWork updates because they
don't trust the hub's new cert.
Tested on OCP 4.21.15 hub+spoke with cert-manager v1.19.0. Full test
results: https://gist.github.com/sebrandon1/7265d68c5add6adb1313dce5b695e40d
Signed-off-by: Brandon Palm <bpalm@redhat.com>
Generate a root CA once and use it as the root for your PKI (the ACME issuer or CA issuer your clusters will use). Add the root CA PEM to `/etc/pki/ca-trust/source/anchors/` on your workstation and run `update-ca-trust`. All certificates issued from that root CA will then be trusted without per-cluster kubeconfig updates.
Copy file name to clipboardExpand all lines: telco-hub/configuration/reference-crs-kube-compare/optional/cert-manager/certManagerCertificatePolicy.yaml
Generate a root CA once and use it as the root for your PKI (the ACME issuer or CA issuer your clusters will use). Add the root CA PEM to `/etc/pki/ca-trust/source/anchors/` on your workstation and run `update-ca-trust`. All certificates issued from that root CA will then be trusted without per-cluster kubeconfig updates.
109
+
110
+
## Hub-Spoke Trust with ACM
111
+
112
+
When cert-manager issues certificates for the hub's API server and ingress, managed spokes must trust the cert-manager root CA to maintain connectivity. The reference configuration includes a `KlusterletConfig` and CA ConfigMap to distribute the root CA to spokes automatically.
113
+
114
+
### Hub-spoke trust files
115
+
116
+
-`certManagerHubCAConfigMap.yaml` — ConfigMap in `multicluster-engine` namespace containing the cert-manager root CA, labeled for the import controller
117
+
-`certManagerKlusterletConfig.yaml` — KlusterletConfig that switches spoke CA verification from auto-detected leaf cert to the custom root CA bundle
118
+
119
+
After deploying these resources, annotate each managed cluster:
By default, ACM embeds the hub's leaf serving cert (`CA:FALSE`) in the klusterlet bootstrap kubeconfig. This means every cert rotation requires a ManifestWork update, and a full CA replacement breaks all spokes immediately. The `KlusterletConfig` with `UseCustomCABundles` replaces the leaf cert with the root CA (`CA:TRUE`), so any certificate signed by that root — current or rotated — is automatically trusted.
129
+
130
+
### Greenfield (cert-manager before spoke deployment)
131
+
132
+
1. Deploy cert-manager on the hub, create the CA, issue hub API/ingress certs
133
+
2. Deploy `certManagerHubCAConfigMap.yaml` and `certManagerKlusterletConfig.yaml`
134
+
3. Annotate the managed cluster (or configure as a default KlusterletConfig)
135
+
4. Deploy spokes via ZTP — they register with the root CA in their trust store
136
+
5. Cert rotations are seamless with no intervention required
137
+
138
+
### Brownfield (cert-manager on existing hub with connected spokes)
139
+
140
+
The order matters — distribute the CA **before** replacing the hub certs:
141
+
142
+
1. Install cert-manager on the hub, create the CA — but **do not apply certs to the APIServer/IngressController yet**
143
+
2. Deploy `certManagerHubCAConfigMap.yaml` with the root CA PEM
144
+
3. Deploy `certManagerKlusterletConfig.yaml`
145
+
4. Annotate all managed clusters
146
+
5. Wait for the import controller to regenerate bootstrap kubeconfigs (check logs for `create a new bootstrap kubeconfig`)
147
+
6.**Now** apply the cert-manager certs to the APIServer and IngressController
148
+
7. Spokes stay connected because they already trust the root CA
149
+
150
+
### Cert rotation
151
+
152
+
Once the root CA is in the klusterlet's trust store, cert rotations are seamless. The klusterlet trusts any certificate signed by the root CA regardless of serial number, with no ManifestWork timing dependency.
153
+
154
+
## Root CA Expiration Monitoring
155
+
156
+
The `certManagerRootCAExpirationPolicy.yaml` creates a PrometheusRule that monitors the root CA certificate expiration using the `certmanager_certificate_expiration_timestamp_seconds` metric:
157
+
158
+
-**Warning** at 90 days before expiry
159
+
-**Critical** at 30 days before expiry
160
+
161
+
This is distinct from the existing `certManagerCertificatePolicy.yaml` which monitors leaf certificate expiration in `openshift-ingress`, `openshift-config`, and `cert-manager` namespaces via ACM CertificatePolicy. Both should be deployed together for comprehensive certificate monitoring.
0 commit comments