To add a custom CA certificate to your running {product-title} cluster, you can create a ConfigMap object with your certificate and reference it in the cluster Proxy object.
|
Note
|
When you modify the cluster |
This procedure uses the trustedCA field in the Proxy object. If you also need to configure or modify egress proxy settings at the same time, see the "Configuring the cluster-wide proxy" chapter for detailed instructions.
-
You have cluster-admin privileges.
-
You have the {oc-first} installed.
-
You have your custom CA certificate available in PEM-encoded format.
-
Create a
ConfigMapobject with your CA certificate.-
Create a YAML file named
custom-ca.yamlto define theConfigMapobject. -
Add the following content to the file:
apiVersion: v1 kind: ConfigMap metadata: name: custom-ca-bundle namespace: openshift-config data: ca-bundle.crt: | -----BEGIN CERTIFICATE----- <MY_PEM_ENCODED_CA_CERT> -----END CERTIFICATE-----
where:
metadata.name-
Specifies the name of the
ConfigMapobject that you will reference from theProxyobject. metadata.namespace-
Specifies the namespace of the
ConfigMapobject. data.ca-bundle.crt-
Specifies the data key for the certificate bundle.
-
-
Apply the manifest to create the
ConfigMapobject in the cluster by running the following command:$ oc apply -f custom-ca.yaml -
Reference the
ConfigMapobject in the clusterProxyobject.-
Update the cluster
Proxyobject to reference theConfigMapobject you just created by running the following command:$ oc patch proxy/cluster --type=merge --patch='{"spec":{"trustedCA":{"name":"custom-ca-bundle"}}}'After you run this command, the Machine Config Operator (MCO) detects the change and begins distributing the new trusted CA to all nodes in the cluster.
-