CNTRLPLANE-1751: Configurable PKI for OpenShift Internal Certificates

[sanchezl]

Summary

This enhancement introduces the ability to configure cryptographic parameters (key algorithm, key size, and elliptic curves) for certificates and keys generated internally by OpenShift components.

Motivation

Enterprise customers increasingly face stringent security compliance requirements that mandate specific cryptographic parameters for PKI infrastructure. Currently, OpenShift uses hardcoded defaults (primarily RSA 2048-bit keys) with no mechanism for administrators to adjust these parameters to meet organizational security requirements or compliance mandates.

Key Features

• New cluster-level PKI configuration resource in config.openshift.io/v1alpha1
• Support for RSA (2048, 3072, 4096) and ECDSA (P-256, P-384, P-521) algorithms
• Configuration at multiple granularity levels: global defaults, certificate categories (signer, serving, client), and specific named certificates
• Day-1 (installer) support for signer certificate configuration
• Day-2 (operator-driven) support for all certificate types
• Metrics and observability for certificate generation and compliance
• Backward compatible: clusters continue using existing defaults if not configured

Proposal Details

The enhancement includes:

• New PKI CRD in config.openshift.io/v1alpha1 API group
• ConfigurablePKI feature gate for controlled rollout
• Limited Day-1 configuration support via installer for long-lived signer certificates
• Individual operator integration for Day-2 certificate rotation
• Comprehensive validation, metrics, and support procedures

Tracking

• Jira: https://issues.redhat.com/browse/OCPSTRAT-2271
• Enhancement file: enhancements/security/internal-pki-config.md

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign shawn-hurley for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@sanchezl: This pull request references CNTRLPLANE-1750 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "4.21.0" version, but no target version was set.

In response to this:

Summary

This enhancement introduces the ability to configure cryptographic parameters (key algorithm, key size, and elliptic curves) for certificates and keys generated internally by OpenShift components.

Motivation

Enterprise customers increasingly face stringent security compliance requirements that mandate specific cryptographic parameters for PKI infrastructure. Currently, OpenShift uses hardcoded defaults (primarily RSA 2048-bit keys) with no mechanism for administrators to adjust these parameters to meet organizational security requirements or compliance mandates.

Key Features

• New cluster-level PKI configuration resource in config.openshift.io/v1alpha1
• Support for RSA (2048, 3072, 4096) and ECDSA (P-256, P-384, P-521) algorithms
• Configuration at multiple granularity levels: global defaults, certificate categories (signer, serving, client), and specific named certificates
• Day-1 (installer) support for signer certificate configuration
• Day-2 (operator-driven) support for all certificate types
• Metrics and observability for certificate generation and compliance
• Backward compatible: clusters continue using existing defaults if not configured

Proposal Details

The enhancement includes:

• New PKI CRD in config.openshift.io/v1alpha1 API group
• ConfigurablePKI feature gate for controlled rollout
• Limited Day-1 configuration support via installer for long-lived signer certificates
• Individual operator integration for Day-2 certificate rotation
• Comprehensive validation, metrics, and support procedures

Tracking

• Jira: https://issues.redhat.com/browse/OCPSTRAT-2271
• Enhancement file: enhancements/security/internal-pki-config.md

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sanchezl]

/jira refresh

[openshift-ci-robot]

@sanchezl: This pull request references CNTRLPLANE-1750 which is a valid jira issue.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@sanchezl: No Jira issue is referenced in the title of this pull request.
To reference a jira issue, add 'XYZ-NNN:' to the title of this pull request and request another refresh with /jira refresh.

In response to this:

Summary

This enhancement introduces the ability to configure cryptographic parameters (key algorithm, key size, and elliptic curves) for certificates and keys generated internally by OpenShift components.

Motivation

Enterprise customers increasingly face stringent security compliance requirements that mandate specific cryptographic parameters for PKI infrastructure. Currently, OpenShift uses hardcoded defaults (primarily RSA 2048-bit keys) with no mechanism for administrators to adjust these parameters to meet organizational security requirements or compliance mandates.

Key Features

• New cluster-level PKI configuration resource in config.openshift.io/v1alpha1
• Support for RSA (2048, 3072, 4096) and ECDSA (P-256, P-384, P-521) algorithms
• Configuration at multiple granularity levels: global defaults, certificate categories (signer, serving, client), and specific named certificates
• Day-1 (installer) support for signer certificate configuration
• Day-2 (operator-driven) support for all certificate types
• Metrics and observability for certificate generation and compliance
• Backward compatible: clusters continue using existing defaults if not configured

Proposal Details

The enhancement includes:

• New PKI CRD in config.openshift.io/v1alpha1 API group
• ConfigurablePKI feature gate for controlled rollout
• Limited Day-1 configuration support via installer for long-lived signer certificates
• Individual operator integration for Day-2 certificate rotation
• Comprehensive validation, metrics, and support procedures

Tracking

• Jira: https://issues.redhat.com/browse/OCPSTRAT-2271
• Enhancement file: enhancements/security/internal-pki-config.md

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@sanchezl: This pull request references CNTRLPLANE-1751 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "4.21.0" version, but no target version was set.

In response to this:

Summary

This enhancement introduces the ability to configure cryptographic parameters (key algorithm, key size, and elliptic curves) for certificates and keys generated internally by OpenShift components.

Motivation

Enterprise customers increasingly face stringent security compliance requirements that mandate specific cryptographic parameters for PKI infrastructure. Currently, OpenShift uses hardcoded defaults (primarily RSA 2048-bit keys) with no mechanism for administrators to adjust these parameters to meet organizational security requirements or compliance mandates.

Key Features

• New cluster-level PKI configuration resource in config.openshift.io/v1alpha1
• Support for RSA (2048, 3072, 4096) and ECDSA (P-256, P-384, P-521) algorithms
• Configuration at multiple granularity levels: global defaults, certificate categories (signer, serving, client), and specific named certificates
• Day-1 (installer) support for signer certificate configuration
• Day-2 (operator-driven) support for all certificate types
• Metrics and observability for certificate generation and compliance
• Backward compatible: clusters continue using existing defaults if not configured

Proposal Details

The enhancement includes:

• New PKI CRD in config.openshift.io/v1alpha1 API group
• ConfigurablePKI feature gate for controlled rollout
• Limited Day-1 configuration support via installer for long-lived signer certificates
• Individual operator integration for Day-2 certificate rotation
• Comprehensive validation, metrics, and support procedures

Tracking

• Jira: https://issues.redhat.com/browse/OCPSTRAT-2271
• Enhancement file: enhancements/security/internal-pki-config.md

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@sanchezl: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/markdownlint	d72d81d	link	true	/test markdownlint

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.