Chapter 5. Using your own certificate authority bundle

Procedure

1. Log in to OpenShift from the command line:

   Syntax

   oc login --token=TOKEN --server=SERVER_URL_AND_PORT

   Example

   $ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443

   Note

   You can find your login token and URL for use on the command line from the OpenShift web console. Log in to the OpenShift web console. Click your user name, and click Copy login command. Offer your user name and password again, if asked, and click Display Token to view the command.

2. Switch to the RHTAS project:

   Example

   $ oc project trusted-artifact-signer

3. Create a new ConfigMap by using your organization’s CA root certificate bundle:

   Example

   $ oc create configmap custom-ca-bundle --from-file=ca-bundle.crt

   Important

   The certificate filename must be ca-bundle.crt.

4. Open the Securesign resource for editing:

   Example

   $ oc edit Securesign securesign-sample

   1. Add the rhtas.redhat.com/trusted-ca under the metadata.annotations section:

      Example

      apiVersion: rhtas.redhat.com/v1alpha1
      kind: Securesign
      metadata:
        name: example-instance
        annotations:
      	rhtas.redhat.com/trusted-ca: custom-ca-bundle
      spec:
      ...

   2. Save, and quit the editor.

5. Open the Fulcio resource for editing:

   Example

   $ oc edit Fulcio securesign-sample

   1. Add the rhtas.redhat.com/trusted-ca under the metadata.annotations section:

      Example

      apiVersion: rhtas.redhat.com/v1alpha1
      kind: Fulcio
      metadata:
        name: example-instance
        annotations:
          rhtas.redhat.com/trusted-ca: custom-ca-bundle
      spec:
      ...

   2. Save, and quit the editor.
6. Wait for the RHTAS operator to reconfigure before signing and verifying artifacts.