To add a custom Certificate Authority (CA) to your {product-title} cluster during initial cluster installation, you can add the CA certificate to your install-config.yaml file. Adding the CA certificate during installation ensures that your cluster trusts the CA after installation.
The following procedure uses the additionalTrustBundle parameter. If you are also configuring an egress proxy, you can add this parameter to your install-config.yaml file along with your proxy configuration. For more information on the available proxy settings, see the "Configuring the cluster-wide proxy" chapter.
-
You have access to the
install-config.yamlfile for your cluster installation. -
You have your custom CA certificate avalable in PEM-encoded format.
-
Open your
install-config.yamlfile. -
Add the
additionalTrustBundleparameter with your PEM-encoded CA certificate:apiVersion: v1 baseDomain: my.domain.com metadata: name: my-cluster additionalTrustBundle: | -----BEGIN CERTIFICATE----- <MY_PEM_ENCODED_CA_CERT> -----END CERTIFICATE-----
where:
additionalTrustBundle-
Specifies the custom CA certificate that you want the cluster to trust. The installation program uses the certificate to generate a
user-ca-bundleConfigMapobject in theopenshift-confignamespace.
-
Save the
install-config.yamlfile and continue with your cluster installation.