service-ca is an Operator that creates a self-signed CA when an OpenShift Container Platform cluster is deployed.
A custom expiration term is not supported. The self-signed CA is stored in a secret with qualified name
service-ca/signing-key in fields
tls.key (private key), and
ca-bundle.crt (CA bundle).
Other services can request a service serving certificate by annotating a service resource with
service.beta.openshift.io/serving-cert-secret-name: <secret name>. In response, the Operator generates a new certificate, as
tls.crt, and private key, as
tls.key to the named secret. The certificate is valid for two years.
Other services can request that the CA bundle for the service CA be injected into
ConfigMap resources by annotating with
service.beta.openshift.io/inject-cabundle: true to support validating certificates generated from the service CA. In response, the Operator writes its current CA bundle to the
CABundle field of the
APIService resource or as
service-ca.crt to a config map.
As of OpenShift Container Platform 4.3.5, automated rotation is supported and is backported to some 4.2.z and 4.3.z releases. For any release supporting automated rotation, the service CA is valid for 26 months and is automatically refreshed when there is less than 13 months validity left. If necessary, you can manually refresh the service CA.
The service CA expiration of 26 months is longer than the expected upgrade interval for a supported OpenShift Container Platform cluster, such that non-control plane consumers of service CA certificates will be refreshed after CA rotation and prior to the expiration of the pre-rotation CA.
A manually-rotated service CA does not maintain trust with the previous service CA. You might experience a temporary service disruption until the Pods in the cluster are restarted, which ensures that Pods are using service serving certificates issued by the new service CA.
Services that use service CA certificates include:
This is not a comprehensive list.