openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/hcp-kube-api-server-cert.adoc
Laura Hinson ec44b15045 Adding HCP certificates docs
2025-08-28 18:21:00 +00:00

87 lines
3.0 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * hosted-control-planes/hcp-certificates.adoc
:_mod-docs-content-type: PROCEDURE
[id="hcp-kube-api-server-cert_{context}"]
= Configuring the Kubernetes API server for a hosted cluster
If you want to customize the Kubernetes API server for your hosted cluster, complete the following steps.
.Prerequisites
* You have a running hosted cluster.
* You have access to modify the `HostedCluster` resource.
* You have a custom DNS domain to use for the Kubernetes API server.
+
** The custom DNS domain must be properly configured and resolvable.
** The DNS domain must have valid TLS certificates configured.
** Network access to the domain must be properly configured in your environment.
** The custom DNS domain must be unique across your hosted clusters.
* You have a configured custom certificate. For more information, see "Configuring a custom API server certificate in a hosted cluster".
.Procedure
. In your provider platform, configure the DNS record so that the `kubeAPIServerDNSName` URL points to the IP address that the Kubernetes API server is being exposed to. The DNS record must be properly configured and resolvable from your cluster.
+
.Example command to configure the DNS record
[source,terminal]
----
$ dig + short kubeAPIServerDNSName
----
. In your `HostedCluster` specification, modify the `kubeAPIServerDNSName` field, as shown in the following example:
+
[source,yaml]
----
apiVersion: hypershift.openshift.io/v1beta1
kind: HostedCluster
metadata:
name: <hosted_cluster_name>
namespace: <hosted_cluster_namespace>
spec:
configuration:
apiServer:
servingCerts:
namedCertificates:
- names: <1>
- api-custom-cert-sample-hosted.sample-hosted.example.com
servingCertificate: <2>
name: sample-hosted-kas-custom-cert
kubeAPIServerDNSName: api-custom-cert-sample-hosted.sample-hosted.example.com <3>
# ...
----
<1> The list of DNS names that the certificate is valid for. The names listed in this field cannot be the same as the names specified in the `spec.servicePublishingStrategy.*hostname` field.
<2> The name of the secret that contains the custom certificate.
<3> This field accepts a URI that will be used as the API server endpoint.
. Apply the configuration by entering the following command:
+
[source,terminal]
----
$ oc -f <hosted_cluster_spec>.yaml
----
+
After the configuration is applied, the HyperShift Operator generates a new `kubeconfig` secret that points to your custom DNS domain.
. Retrieve the `kubeconfig` secret by using the CLI or the console.
+
.. To retrieve the secret by using the CLI, enter the following command:
+
[source,terminal]
----
$ kubectl get secret <hosted_cluster_name>-custom-admin-kubeconfig \
-n <cluster_namespace> \
-o jsonpath='{.data.kubeconfig}' | base64 -d
----
+
.. To retrieve the secret by using the console, go to your hosted cluster and click **Download Kubeconfig**.
+
[NOTE]
====
You cannot consume the new `kubeconfig` secret by using the **show login command** option in the console.
====
View Git Blame Copy Permalink