OKD Certificates

OKD needs several TLS certificates to run. The required certificates include certificates for internal communication between nodes and services, and certificates for external communication that depends on OKD routes and ingresses.

OKD relies on several resources to be able to use your organization certificates, including:

  • Configuration maps
  • Secrets
  • Custom resources, such as apiserver

When you configure OKD to use your organization certificates for the ingress controller operator or the API server, there are many ways to troubleshoot these certificates, including reviewing the resource via the web console, using the command-line interface, or using tools such as openssl.

One critical administrative task is the monitoring of custom certificate expiry dates, and the renewal of those certificates before production is affected. OKD makes it possible to update certificates without disrupting the applications.

Multiple resources are responsible for ensuring that your organization certificates are properly used, including secrets, configuration maps, and custom resources.

Operators monitor resources such as configuration maps or secrets and automatically redeploy the services responsible for serving the certificates.