Parameters

The parent key for all of the following parameters is openshift4_api.

servingCerts

type

object

default

{}

servingCerts provides TLS certificates for serving API traffic. This is a key-value map defining multiple named certificates. If the parameter has value null no serving certificates will be configured on the API server.

Each entry needs to specify which host name it matches and provide a certificate. Entries can have value null, in which case they’re skipped. The certificate can be provided in two ways:

  • secret: The provided entry is deployed onto the cluster as a Kubernetes Secret with type=kubernetes.io/tls. The dictionary values are directly merged into a Secret resource which only has type=kubernetes.io/tls set.

  • cert: A certificate is generated using cert-manager, by deploying the entry as a Certificate resource. The dictionary values are then directly merged into the mostly empty Certificate resources.

If no certificate is specified or no name matches the server name, the operator managed certificates will be used for serving secure traffic.

Example

servingCerts:
  "foo":
    names:
      - "foo.vshn.ch"
    secret:
      stringData:
        tls.crt: "THECERTTIFICATE"
        tls.key: "THEKEY"
  "bar":
    names:
      - "bar.vshn.ch"
      - "buzz.vshn.ch"
    secret: null
    cert:
      subject:
        organizations:
          - projectsyn
      issuerRef:
        name: letsencrypt-production
        kind: ClusterIssuer

apiServerSpec

type

object

default
audit:
  profile: 'Default'

The APIServer config specification. The dictionary values are directly merged into the spec of the APIServer resource.

Configuring field servingCerts in this parameter won’t have an effect, as that field is overwritten by the contents of parameter servingCerts.

Example

additionalCORSAllowedOrigins: []
apiServerSpec:
  audit:
    profile: 'Default'
  clientCA:
    name: internal-ca
  encryption:
    type: aescbc
  tlsSecurityProfile:
    old: {}
    type: Old
servingCerts:
  "foo":
    names:
      - "foo.vshn.ch"
    secret:
      stringData:
        tls.crt: "THECERTTIFICATE"
        tls.key: "THEKEY"
  "bar":
    names:
      - "bar.vshn.ch"
      - "buzz.vshn.ch"
    secret: null
    cert:
      subject:
        organizations:
          - projectsyn
      issuerRef:
        name: letsencrypt-production
        kind: ClusterIssuer
  "baz": null

apiServerAnnotations

type

object

default

{}

Additional annotations to apply to the APIServer resource on the cluster. Users can remove annotations from the resource by setting the annotation value to null. The component applies the following annotations by default:

oauth-apiserver.openshift.io/secure-token-storage: 'true',
release.openshift.io/create-only: 'true',

In addition to the annotations listed above, the annotation argocd.argoproj.io/sync-wave='10' is applied to the APIServer resource after the user-provided annotations are applied. This is done to ensure that the APIServer resource is configured after all certificate secrets are available in the cluster.