mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
28 lines
1.5 KiB
Plaintext
28 lines
1.5 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/certificates/updating-ca-bundle.adoc
|
|
|
|
:_mod-docs-content-type: SNIPPET
|
|
[id="ca-bundle-understanding_{context}"]
|
|
= Understanding the CA Bundle certificate
|
|
|
|
Proxy certificates allow users to specify one or more custom certificate authority (CA) used by platform components when making egress connections.
|
|
|
|
The `trustedCA` field of the Proxy object is a reference to a config map that contains a user-provided trusted certificate authority (CA) bundle. This bundle is merged with the {op-system-first} trust bundle and injected into the trust store of platform components that make egress HTTPS calls. For example, `image-registry-operator` calls an external image registry to download images. If `trustedCA` is not specified, only the {op-system} trust bundle is used for proxied HTTPS connections. Provide custom CA certificates to the {op-system} trust bundle if you want to use your own certificate infrastructure.
|
|
|
|
The `trustedCA` field should only be consumed by a proxy validator. The validator is responsible for reading the certificate bundle from required key `ca-bundle.crt` and copying it to a config map named `trusted-ca-bundle` in the `openshift-config-managed` namespace. The namespace for the config map referenced by `trustedCA` is `openshift-config`:
|
|
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: user-ca-bundle
|
|
namespace: openshift-config
|
|
data:
|
|
ca-bundle.crt: |
|
|
-----BEGIN CERTIFICATE-----
|
|
Custom CA certificate bundle.
|
|
-----END CERTIFICATE-----
|
|
----
|