When you install {productname-long}, OpenShift automatically applies a default Certificate Authority (CA) bundle to manage authentication for most {productname-short} components, such as workbenches and model servers. These certificates are trusted self-signed certificates that help secure communication. However, as a cluster administrator, you might need to configure additional self-signed certificates to use some components, such as the data science pipeline server and object storage solutions. If an {productname-short} component uses a self-signed certificate that is not part of the existing cluster-wide CA bundle, you have the following options for including the certificate:
-
Add it to the OpenShift cluster-wide CA bundle.
-
Add it to a custom CA bundle, separate from the cluster-wide CA bundle.
As a cluster administrator, you can also change how to manage authentication for {productname-short} as follows:
-
Manually manage certificate changes, instead of relying on the {productname-short} Operator to handle them automatically.
-
Remove the cluster-wide CA bundle, either from all namespaces or specific ones. If you prefer to implement a different authentication approach, other than using CA bundles, you can override the default {productname-short} behavior, as described in Removing the CA bundle from all namespaces and Removing the CA bundle from a single namespace.
If you must use a self-signed certificate that is not part of the existing cluster-wide CA bundle, you have two options for configuring the certificate:
-
Add it to the cluster-wide CA bundle.
This option is useful when the certificate is needed for secure communication across multiple services or when it’s required by security policies to be trusted cluster-wide. This option ensures that all services and components in the cluster trust the certificate automatically. It simplifies management because the certificate is trusted across the entire cluster, avoiding the need to configure the certificate separately for each service.
-
Add it to a custom CA bundle that is separate from the OpenShift cluster-wide bundle.
Consider this option for the following scenarios:
-
Limit scope: Only specific services need the certificate, not the whole cluster.
-
Isolation: Keeps custom certificates separate, preventing changes to the global configuration.
-
Avoid global impact: Does not affect services that do not need the certificate.
-
Easier management: Makes it simpler to manage certificates for specific services.
-
Some {productname-short} components have additional options or required configuration for self-signed certificates.
If you prefer to implement a different authentication approach for your {productname-short} installation, you can override the default behavior by removing the CA bundle.
You have two options for removing the CA bundle:
-
Remove the CA bundle from all non-reserved projects in {productname-short}.
-
Remove the CA bundle from a specific project.