From 1f2eca6a8ba1baa59a0791c1caf20131ac31556a Mon Sep 17 00:00:00 2001 From: James Hewitt Date: Mon, 20 Jan 2025 14:24:20 +0000 Subject: [PATCH 1/2] Add information about the openshift-service-ca.crt ConfigMap The openshift kube-controller-manager maintains a ConfigMap in every namespace that publishes the service serving certifcate CA. Adding it to the documentation for users. Signed-off-by: James Hewitt --- ...ess-default-service-serving-configmap.adoc | 33 +++++++++++++++++++ .../service-serving-certificate.adoc | 2 ++ 2 files changed, 35 insertions(+) create mode 100644 modules/customize-certificates-access-default-service-serving-configmap.adoc diff --git a/modules/customize-certificates-access-default-service-serving-configmap.adoc b/modules/customize-certificates-access-default-service-serving-configmap.adoc new file mode 100644 index 000000000000..c84c663d932e --- /dev/null +++ b/modules/customize-certificates-access-default-service-serving-configmap.adoc @@ -0,0 +1,33 @@ +// Module included in the following assemblies: +// +// * security/certificates/service-serving-certificate.adoc + +:_mod-docs-content-type: PROCEDURE +[id="access-default-service-serving-configmap_{context}"] += Access the service CA bundle in the default configmap + +A pod can access the service CA certificate by mounting the default +`ConfigMap` object that exists in every project. The service CA +certificate is in the `service-ca.crt` key of the `openshift-service-ca.crt` +config map. Access to this CA certificate allows TLS clients to verify +connections to services using service serving certificates. + +.Procedure + +. View the config map to ensure that the service CA bundle is available: ++ +[source,terminal] +---- +$ oc get configmap openshift-service-ca.crt -o yaml +---- ++ +The CA bundle is displayed as the value of the `service-ca.crt` key in the YAML output: ++ +[source,terminal] +---- +apiVersion: v1 +data: + service-ca.crt: | + -----BEGIN CERTIFICATE----- +... +---- diff --git a/security/certificates/service-serving-certificate.adoc b/security/certificates/service-serving-certificate.adoc index 5f45ab2296aa..606e2ff42700 100644 --- a/security/certificates/service-serving-certificate.adoc +++ b/security/certificates/service-serving-certificate.adoc @@ -14,6 +14,8 @@ include::modules/customize-certificates-add-service-serving.adoc[leveloffset=+1] .Additional resources * You can use a service certificate to configure a secure route using reencrypt TLS termination. For more information, see xref:../../networking/routes/secured-routes.adoc#nw-ingress-creating-a-reencrypt-route-with-a-custom-certificate_secured-routes[Creating a re-encrypt route with a custom certificate]. +include::modules/customize-certificates-access-default-service-serving-configmap.adoc[leveloffset=+1] + include::modules/customize-certificates-add-service-serving-configmap.adoc[leveloffset=+1] include::modules/customize-certificates-add-service-serving-apiservice.adoc[leveloffset=+1] From 3ec9a6eb2dfb045b3250e6fdffa0937abcd9f6d8 Mon Sep 17 00:00:00 2001 From: James Hewitt Date: Tue, 21 Jan 2025 11:12:02 +0000 Subject: [PATCH 2/2] RedHat.CaseSensitiveTerms: Use 'config map' rather than 'configmap' Signed-off-by: James Hewitt --- ...e-certificates-access-default-service-serving-configmap.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/customize-certificates-access-default-service-serving-configmap.adoc b/modules/customize-certificates-access-default-service-serving-configmap.adoc index c84c663d932e..8008fb8dfe1e 100644 --- a/modules/customize-certificates-access-default-service-serving-configmap.adoc +++ b/modules/customize-certificates-access-default-service-serving-configmap.adoc @@ -4,7 +4,7 @@ :_mod-docs-content-type: PROCEDURE [id="access-default-service-serving-configmap_{context}"] -= Access the service CA bundle in the default configmap += Access the service CA bundle in the default config map A pod can access the service CA certificate by mounting the default `ConfigMap` object that exists in every project. The service CA