You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add hub-spoke trust config, root CA monitoring, and kubeconfig guidance
Hub-spoke CA trust distribution via KlusterletConfig and CA ConfigMap,
made mandatory with kube-compare validation templates.
Root CA expiration monitoring via ACM Policy with PrometheusRule alerts.
CertificatePolicy expanded to monitor cert-manager namespace.
Kubeconfig trust documentation added to all profile READMEs, applicable
to any non-publicly-trusted issuer.
ACME is the reference recommendation. Other issuer types are allowable
but only ACME is provided in the reference.
Generate a root CA once and use it as the root for your PKI (the ACME issuer or CA issuer your clusters will use). Add the root CA PEM to `/etc/pki/ca-trust/source/anchors/` on your workstation and run `update-ca-trust`. All certificates issued from that root CA will then be trusted without per-cluster kubeconfig updates.
Copy file name to clipboardExpand all lines: telco-hub/configuration/reference-crs-kube-compare/optional/cert-manager/certManagerCertificatePolicy.yaml
Generate a root CA once and use it as the root for your PKI (the ACME issuer or CA issuer your clusters will use). Add the root CA PEM to `/etc/pki/ca-trust/source/anchors/` on your workstation and run `update-ca-trust`. All certificates issued from that root CA will then be trusted without per-cluster kubeconfig updates.
100
+
101
+
## Hub-Spoke Trust with ACM
102
+
103
+
When cert-manager issues certificates for the hub's API server and ingress, managed spokes must trust the cert-manager root CA to maintain connectivity. The reference configuration includes a `KlusterletConfig` and CA ConfigMap to distribute the root CA to spokes automatically.
104
+
105
+
### Hub-spoke trust files
106
+
107
+
-`certManagerHubCAConfigMap.yaml` — ConfigMap in `multicluster-engine` namespace containing the cert-manager root CA, labeled for the import controller
108
+
-`certManagerKlusterletConfig.yaml` — KlusterletConfig that switches spoke CA verification from auto-detected leaf cert to the custom root CA bundle
109
+
110
+
After deploying these resources, annotate each managed cluster:
By default, ACM embeds the hub's leaf serving cert (`CA:FALSE`) in the klusterlet bootstrap kubeconfig. This means every cert rotation requires a ManifestWork update, and a full CA replacement breaks all spokes immediately. The `KlusterletConfig` with `UseCustomCABundles` replaces the leaf cert with the root CA (`CA:TRUE`), so any certificate signed by that root — current or rotated — is automatically trusted.
120
+
121
+
### Greenfield (cert-manager before spoke deployment)
122
+
123
+
1. Deploy cert-manager on the hub, create the CA, issue hub API/ingress certs
124
+
2. Deploy `certManagerHubCAConfigMap.yaml` and `certManagerKlusterletConfig.yaml`
125
+
3. Annotate the managed cluster with `agent.open-cluster-management.io/klusterlet-config=cert-manager-ca-config` as shown above
126
+
4. Deploy spokes via ZTP — they register with the root CA in their trust store
127
+
5. Cert rotations are seamless with no intervention required
128
+
129
+
### Brownfield (cert-manager on existing hub with connected spokes)
130
+
131
+
The order matters — distribute the CA **before** replacing the hub certs:
132
+
133
+
1. Install cert-manager on the hub, create the CA — but **do not apply certs to the APIServer/IngressController yet**
134
+
2. Deploy `certManagerHubCAConfigMap.yaml` with the root CA PEM
135
+
3. Deploy `certManagerKlusterletConfig.yaml`
136
+
4. Annotate all managed clusters with `agent.open-cluster-management.io/klusterlet-config=cert-manager-ca-config` as shown above
137
+
5. Wait for the import controller to regenerate bootstrap kubeconfigs (check logs for `create a new bootstrap kubeconfig`)
138
+
6.**Now** apply the cert-manager certs to the APIServer and IngressController
139
+
7. Spokes stay connected because they already trust the root CA
140
+
141
+
### Cert rotation
142
+
143
+
Once the root CA is in the klusterlet's trust store, cert rotations are seamless. The klusterlet trusts any certificate signed by the root CA regardless of serial number, with no ManifestWork timing dependency.
144
+
145
+
## Root CA Expiration Monitoring
146
+
147
+
The `certManagerRootCAExpirationPolicy.yaml` creates a PrometheusRule that monitors the root CA certificate expiration using the `certmanager_certificate_expiration_timestamp_seconds` metric:
148
+
149
+
-**Warning** at 90 days before expiry
150
+
-**Critical** at 30 days before expiry
151
+
152
+
This is distinct from the existing `certManagerCertificatePolicy.yaml` which monitors leaf certificate expiration in `openshift-ingress`, `openshift-config`, and `cert-manager` namespaces via ACM CertificatePolicy. Both should be deployed together for comprehensive certificate monitoring.
0 commit comments