Changing the Ingress Controller Operator Certificate

The ingress operator configures the ingress controller to route traffic into the OKD environment. The certificate used by the ingress controller can be updated so that it uses a certificate signed by a recognized certificate authority, or by your own enterprise CA.

Changing the ingress controller operator to use a different certificate and its associated key only requires a handful of steps. Before starting this process, you need:

  • The new certificate and key in PEM format.
  • The certificate must have a subjectAltName extension of *.apps.<OPENSHIFT-DOMAIN>, such as *, that enables using the certificate as a wildcard certificate for the .apps subdomain.

To begin, create a new configuration map in the openshift-config namespace. Prefix the file path with ca-bundle.crt= to name the data key in the configuration map as cabundle.crt. This configuration map can contain one or more certificates.

For example, you can combine the new wildcard certificate and the certificate authority used to sign the wildcard certificate into one file. Add these certificates to the certificate bundle if additional certificates are needed to proxy out of your cluster.

Although it may not seem intuitive, some OKD components communicate with each other using external-facing URLs. Adding your certificates to the cluster proxy ensures that your web console pods can trust the authentication pods and vice versa.

This step is not needed if the certificate is signed by a certificate authority that already exists in the Red Hat CoreOS (RHCOS) trust bundle.

oc create configmap <CONFIGMAP-NAME> \
> --from-file ca-bundle.crt=<PATH-TO-CERTIFICATE> \
> -n openshift-config

Configure the cluster proxy to use the new configuration map. This step injects the certificate information contained in your configuration map into other configuration maps labeled with

As with the preceding step, this step is not needed if the certificate is signed by a certificate authority that already exists in the RHCOS trust bundle.

There are several ways to modify the cluster proxy, such as using oc edit, oc patch, or modifying a configuration file under version control and then using oc apply.

Additional changes to the cluster proxy can support a custom PKI infrastructure.

oc patch proxy/cluster --type=merge \
> --patch='{"spec":{"trustedCA":{"name":"<CONFIGMAP-NAME>"}}}'

Create a new TLS secret in the openshift-ingress namespace using the new certificate and its corresponding key. The OKD ingress operator uses this secret.

oc create secret tls <SECRET-NAME> \
> --key <PATH-TO-KEY> \
> -n openshift-ingress

Modify the default ingress controller operator in the openshift-ingress-operator namespace so that defaultCertificate uses the newly created secret.

oc patch ingresscontroller.operator/default --type=merge \
> --patch='{"spec":{"defaultCertificate":{"name":"<SECRET-NAME>"}}}' \
> -n openshift-ingress-operator

If the change is successful, then new router pods in the openshift-ingress namespace deploy and change to a status of running.

watch oc get pods -n openshift-ingress