To allow clients outside the cluster to validate the API server’s certificate, you can replace the default certificate with one that is issued by a public or organizational CA.
-
You must have a valid certificate and key in the PEM format.
-
Create a secret that contains the certificate and key in the
openshift-confignamespace.$ oc create secret tls <certificate> \//(1) --cert=</path/to/cert.crt> \//(2) --key=</path/to/cert.key> \//(3) -n openshift-config-
<certificate>is the name of the secret that will contain the certificate. -
</path/to/cert.crt>is the path to the certificate on your local file system. -
</path/to/cert.key>is the path to the private key associated with this certificate.
-
-
Update the API server to reference the created secret.
$ oc patch apiserver cluster \ --type=merge -p \ '{"spec": {"servingCerts": {"defaultServingCertificate": {"name": "<certificate>"}}}}' (1)-
Replace
<certificate>with the name used for the secret in the previous step.
-
-
Examine the
apiserver/clusterobject and confirm the secret is now referenced.$ oc get apiserver cluster -o yaml ... spec: servingCerts: defaultServingCertificate: name: <certificate> ...