ocpbugs-8882: configure an addditionl clientca for the openshiftapi server

nalhadef · nalhadef · commit 3c868b9c6a6b · 2023-10-24T11:38:53.000-04:00
diff --git a/modules/customize-certificates-api-add-named.adoc b/modules/customize-certificates-api-add-named.adoc
@@ -118,3 +118,22 @@ If `PROGRESSING` is showing `True`, wait a few minutes and try again.
 ====
 A new revision of the Kubernetes API server only rolls out if the API server named certificate is added for the first time. When the API server named certificate is renewed, a new revision of the Kubernetes API server does not roll out because the `kube-apiserver` pods dynamically reload the updated certificate.
 ====
+
+.Configure an additional clientCA for the OpenShift API server
+
+. Import the CA certificate in a configmap of the openshift-config namespace. The CA file must be in PEM format.
++
+[source,terminal]
+----
+oc create configmap client-ca-custom -n openshift-config --from-file=ca-bundle.crt=ca.crt
+----
++
+Patch the APIServer instance.
++
+[source, terminal]
+----
+oc patch apiserver cluster --type=merge -p '{"spec": {"clientCA": {"name": "client-ca-custom"}}}'
+----
+
+After adding the new CA, any API request providing an x.509 client certificate signed by the new CA and matching a valid user is successfully authenticated.
+
