Skip to content

Latest commit

 

History

History
113 lines (92 loc) · 6.03 KB

adding-a-ca-bundle-after-upgrading.adoc

File metadata and controls

113 lines (92 loc) · 6.03 KB

Adding a CA bundle after upgrading

There are two ways to add a Certificate Authority (CA) bundle to {productname-short}. You can use one or both of these methods:

  • For {openshift-platform} clusters that rely on self-signed certificates, you can add those self-signed certificates to a cluster-wide Certificate Authority (CA) bundle (ca-bundle.crt) and use the CA bundle in {productname-long}.

  • You can use self-signed certificates in a custom CA bundle (odh-ca-bundle.crt) that is separate from the cluster-wide bundle.

Prerequisites

  • You have admin access to the DSCInitialization resources in the {openshift-platform} cluster.

  • You installed the OpenShift command line interface (oc) as described in Installing the OpenShift CLI.

Procedure

  1. Log in to the {openshift-platform} as a cluster administrator.

  2. Click OperatorsInstalled Operators and then click the {productname-long} Operator.

  3. Click the DSC Initialization tab.

  4. Click the default-dsci object.

  5. Click the YAML tab.

  6. Add the following to the spec section, setting the managementState field to Managed:

    spec:
  trustedCABundle:
    managementState: Managed
    customCABundle: ""

  7. If you want to use self-signed certificates added to a cluster-wide CA bundle, log in to the {openshift-platform} as a cluster administrator and follow the steps as described in Configuring the cluster-wide proxy during installation.

  8. If you want to use self-signed certificates in a custom CA bundle that is separate from the cluster-wide bundle, follow these steps:

    1. Add the custom certificate to the customCABundle field of the default-dsci object, as shown in the following example:

      spec:
  trustedCABundle:
    managementState: Managed
    customCABundle: |
      -----BEGIN CERTIFICATE-----
      examplebundle123
      -----END CERTIFICATE-----

    2. Click Save.

      The {productname-long} Operator creates an odh-trusted-ca-bundle ConfigMap containing the certificates in all new and existing non-reserved namespaces.

Verification

  • If you are using a cluster-wide CA bundle, run the following command to verify that all non-reserved namespaces contain the odh-trusted-ca-bundle ConfigMap:

    $ oc get configmaps --all-namespaces -l app.kubernetes.io/part-of=opendatahub-operator | grep odh-trusted-ca-bundle

  • If you are using a custom CA bundle, run the following command to verify that a non-reserved namespace contains the odh-trusted-ca-bundle ConfigMap and that the ConfigMap contains your customCABundle value. In the following command, example-namespace is the non-reserved namespace and examplebundle123 is the customCABundle value.

    $ oc get configmap odh-trusted-ca-bundle -n example-namespace -o yaml | grep examplebundle123