openshift11 csr 证书续签管理

Managing Certificate Signing Requests

Cluster administrators can review certificate signing requests (CSRs) and approve or deny them.

Reviewing Certificate Signing Requests

You can review the list of certificate signing requests (CSRs).

• Get the list of current CSRs: 获取当前证书注册请求列表 $ oc get csr
• View the details of a CSR to verify that it is valid: $ oc describe csr <csr_name> <csr_name> is the name of a CSR from the list of current CSRs.

Approving Certificate Signing Requests

You can manually approve certificate signing requests (CSRs) by using the oc certificate approve command.

• Approve a CSR: 续签证书 $ oc adm certificate approve <csr_name> <csr_name> is the name of a CSR from the list of current CSRs.
• Approve all CSRs: $ oc get csr -o name | xargs oc adm certificate approve

Denying Certificate Signing Requests

You can manually deny certificate signing requests (CSRs) by using the oc certificate deny command.

• Deny a CSR: 拒绝证书 $ oc adm certificate deny <csr_name> <csr_name> is the name of a CSR from the list of current CSRs.

Configuring Automatic Approval of Certificate Signing Requests

开启证书自动续签--非常重要

You can configure automatic approval of node certificate signing requests (CSRs) by specifying adding the following parameter to your Ansible inventory file when installing your cluster:

openshift_master_bootstrap_auto_approve=true

Adding this parameter allows all CSRs generated by using the boostrap credential or from a previously authenticated node with the same host name to be approved without any administrator intervention.

参考链接：

https://docs.openshift.com/container-platform/3.11/install_config/redeploying_certificates.html