CNTRLPLANE-1752: Add PKI API to config.openshift.io/v1alpha1

[sanchezl]

Summary

This PR introduces the PKI API (config.openshift.io/v1alpha1) behind the ConfigurablePKI feature gate (TechPreview / DevPreview). It provides a cluster-scoped singleton resource that allows administrators to configure the cryptographic parameters (key algorithm, key size, elliptic curve) used for internally-managed certificates — including signer (CA), serving (TLS), and client certificates — with per-category overrides on top of a required set of defaults.

API Structure

graph TD
    PKI["<b>PKI</b><br/><i>cluster-scoped singleton</i>"]
    PKISpec["<b>spec</b>"]
    CertMgmt["<b>certificateManagement</b><br/><i>union</i>"]
    Mode["<b>mode</b><br/><i>Unmanaged | Default | Custom</i>"]
    Custom["<b>custom</b><br/><i>required when mode=Custom</i>"]
    Defaults["<b>defaults</b> <i>(required)</i>"]
    Signers["<b>signerCertificates</b> <i>(optional)</i>"]
    Serving["<b>servingCertificates</b> <i>(optional)</i>"]
    Client["<b>clientCertificates</b> <i>(optional)</i>"]
    KeyConfig["<b>key</b><br/><i>union: algorithm</i>"]
    RSA["<b>rsa</b><br/>keySize: 2048–8192<br/><i>(multiples of 1024)</i>"]
    ECDSA["<b>ecdsa</b><br/>curve: P256 | P384 | P521"]

    PKI --> PKISpec --> CertMgmt
    CertMgmt --> Mode
    CertMgmt --> Custom
    Custom --> Defaults
    Custom --> Signers
    Custom --> Serving
    Custom --> Client
    Defaults --> KeyConfig
    Signers -.->|"optional override"| KeyConfig
    Serving -.->|"optional override"| KeyConfig
    Client -.->|"optional override"| KeyConfig
    KeyConfig --> RSA
    KeyConfig --> ECDSA

Loading

Modes

• Unmanaged — The cluster does not manage certificate parameters; an external system is expected to handle PKI.
• Default — The cluster uses its built-in default cryptographic settings (current behaviour).
• Custom — The administrator provides explicit cryptographic parameters via custom. A defaults block is required; optional per-category overrides (signerCertificates, servingCertificates, clientCertificates) take precedence when present.

Example (Custom mode with ECDSA defaults, RSA override for signers)

apiVersion: config.openshift.io/v1alpha1
kind: PKI
metadata:
  name: cluster
spec:
  certificateManagement:
    mode: Custom
    custom:
      defaults:
        key:
          algorithm: ECDSA
          ecdsa:
            curve: P384
      signerCertificates:
        key:
          algorithm: RSA
          rsa:
            keySize: 4096

Links

• Enhancement: CNTRLPLANE-1751: Configurable PKI for OpenShift Internal Certificates enhancements#1882
• Jira: CNTRLPLANE-1752

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a new cluster-scoped PKI custom resource under config/v1alpha1 and registers PKI and PKIList in the scheme. Introduces PKI API types (PKI, PKISpec, PKICertificateManagement, PKIProfile, CustomPKIPolicy, CertificateConfig, KeyConfig with RSA/ECDSA, overrides and enums) and PKIList. Adds autogenerated deepcopy methods, generated Swagger docs, a feature-gated CRD manifest entry for pkis.config.openshift.io (ConfigurablePKI), and test YAML covering ConfigurablePKI create/update cases.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding a new PKI API to the config.openshift.io/v1alpha1 API group, which is the primary purpose of this changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Description check	✅ Passed	The PR description clearly outlines the PKI API introduction, its structure, modes, and provides concrete examples related to the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

Hello @sanchezl! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[sanchezl]

/test required

[sanchezl]

/test unit
/test verify
/test verify-client-go
/test verify-crd-schema
/test verify-crdify
/test verify-deps
/test verify-feature-promotion

[openshift-ci-robot]

@sanchezl: This pull request references CNTRLPLANE-1752 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

• Add PKI API to config.openshift.io/v1alpha1
• make update

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sanchezl]

/retest-required

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-hypershift-conformance
/test e2e-aws-ovn-techpreview
/test e2e-aws-serial-1of2
/test e2e-aws-serial-2of2
/test e2e-aws-serial-techpreview-1of2
/test e2e-aws-serial-techpreview-2of2
/test e2e-azure
/test e2e-gcp
/test e2e-upgrade
/test e2e-upgrade-out-of-change
/test minor-e2e-upgrade-minor

[sanchezl]

/verified by CI

[openshift-ci-robot]

@sanchezl: This PR has been marked as verified by CI.

Details

In response to this:

/verified by CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sanchezl]

/retest required

[sanchezl]

/retest

[everettraven]

@sanchezl It looks like the 1.35 rebase cause some minor updates that need to be made here for verify to pass.

Rebasing on the master branch latest changes and then running PROTO_OPTIONAL=true make update should fix this up

[everettraven]

/lgtm

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-hypershift-conformance
/test e2e-aws-ovn-techpreview
/test e2e-aws-serial-1of2
/test e2e-aws-serial-2of2
/test e2e-aws-serial-techpreview-1of2
/test e2e-aws-serial-techpreview-2of2
/test e2e-azure
/test e2e-gcp
/test e2e-upgrade
/test e2e-upgrade-out-of-change
/test minor-e2e-upgrade-minor

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: everettraven

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [everettraven]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sanchezl]

/verified by CI

[openshift-ci-robot]

@sanchezl: This PR has been marked as verified by CI.

Details

In response to this:

/verified by CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sanchezl]

/retest

[sanchezl]

/retest

[openshift-ci]

@sanchezl: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.