The default API server certificate is issued by an internal {product-title} cluster CA. You can add additional certificates to the API server to send based on the client’s requested URL, such as when a reverse proxy or load balancer is used.
-
You must have the certificate and key, in the PEM format, for the client’s URL.
-
The certificate must be issued for the URL used by the client to reach the API server.
-
The certificate must have the
subjectAltNameextension for the URL.
|
Warning
|
Do not provide a named certificate for the internal load balancer (host
name |
-
Create a secret that contains the certificate and key in the
openshift-confignamespace.$ oc create secret tls <certificate> \//(1) --cert=</path/to/cert.crt> \//(2) --key=</path/to/cert.key> \//(3) -n openshift-config-
<certificate>is the name of the secret that will contain the certificate. -
</path/to/cert.crt>is the path to the certificate on your local file system. -
</path/to/cert.key>is the path to the private key associated with this certificate.
-
-
Update the API server to reference the created secret.
$ oc patch apiserver cluster \ --type=merge -p \ '{"spec":{"servingCerts": {"namedCertificates": [{"names": ["<hostname>"], //(1) "servingCertificate": {"name": "<certificate>"}}]}}}' (2)-
Replace
<hostname>with the hostname that the API server should provide the certificate for. -
Replace
<certificate>with the name used for the secret in the previous step.
-
-
Examine the
apiserver/clusterobject and confirm the secret is now referenced.$ oc get apiserver cluster -o yaml ... spec: servingCerts: namedCertificates: - names: - <hostname> servingCertificate: name: <certificate> ...