Identifying Hidden TLS Certificates within OpenShift Secrets
1. Introduction
The Challenge
In OpenShift Container Platform, Kubernetes Secrets are the standard way to manage sensitive information such as TLS certificates. While the kubernetes.io/tls type is designated for this purpose, it is not uncommon for TLS certificates to be stored within Secrets of type Opaque.
When certificates are stored as Opaque, they are essentially “hidden” from standard cluster management and monitoring tools that are designed to look for the kubernetes.io/tls type. This can lead to significant operational risks:
- Unexpected Expirations: Certificates might expire without warning, as automated renewal systems may not be aware of their existence.
- Service Disruptions: Expired certificates can cause critical OpenShift components, such as the API server, Ingress Controller, or custom operators, to fail. This often results in pod restarts, API unavailability, and application downtime.
- Security Blind Spots: A lack of a complete inventory of all TLS certificates makes it difficult to enforce security policies and respond to vulnerabilities.
The Objective
To mitigate these risks, it is crucial to have a reliable method for discovering all TLS certificates within a cluster, regardless of the Secret type they are stored in. This document provides a robust script that scans every Secret in every namespace, decodes its data, and validates whether the content is a valid X.509 certificate. This proactive approach helps administrators maintain a complete certificate inventory and prevent outages caused by unforeseen expirations.
2. Certificate Discovery Script on secret only
The following Bash script is designed to automate the process of finding all X.509 certificates stored in Secrets across an OpenShift cluster.
#!/bin/bash
# ==============================================================================
# Script Function: Iterate through all Secrets in all namespaces of an
# OpenShift cluster, decode their data, and identify any
# valid X.509 certificates.
# ==============================================================================
set -eo pipefail
# Get a list of all non-core system namespaces (customize the scope as needed).
# To get all namespaces: oc get ns -o jsonpath='{.items[*].metadata.name}'
# The following commented-out line excludes some common, large operator namespaces to speed up the scan.
# You can adjust this filter based on your requirements.
# NAMESPACES=$(oc get ns -o jsonpath='{.items[*].metadata.name}' | xargs -n1 | grep -vE "^(openshift-api-server|openshift-etcd|openshift-sdn|openshift-kni-infra|openshift-kube.*)$")
NAMESPACES=$(oc get ns -o jsonpath='{.items[*].metadata.name}' | xargs -n1 )
echo "Starting scan for the following namespaces: "
echo "$NAMESPACES"
echo "========================================================================================================================"
printf "%-40s %-50s %-30s %-30s %-10s\n" "NAMESPACE" "SECRET_NAME" "SECRET_TYPE" "DATA_KEY" "IS_CERT?"
echo "========================================================================================================================"
# Iterate through each namespace
for ns in $NAMESPACES; do
# Get all secrets in the current namespace in JSON format
SECRETS_JSON=$(oc get secret -n "$ns" -o json)
# Use jq to process each secret individually
echo "$SECRETS_JSON" | jq -c '.items[] | {name: .metadata.name, type: .type, data: .data}' | while read -r secret_line; do
SECRET_NAME=$(echo "$secret_line" | jq -r '.name')
SECRET_TYPE=$(echo "$secret_line" | jq -r '.type')
# Skip if the secret does not have a .data field
if ! echo "$secret_line" | jq -e '.data' > /dev/null; then
continue
fi
# Iterate through all keys under the .data field
echo "$secret_line" | jq -r '.data | keys[]' | while read -r key; do
# Extract and decode the value for the current key
# Use --arg to safely pass the key variable to jq
DECODED_DATA=$(echo "$secret_line" | jq -r --arg k "$key" '.data[$k]' | base64 -d 2>/dev/null)
IS_CERT="No"
# Check if the decoded data starts with '-----BEGIN CERTIFICATE-----'
# and then use openssl for final validation.
if [[ "$DECODED_DATA" == *"-----BEGIN CERTIFICATE-----"* ]]; then
# Use openssl to verify if it is a genuinely valid X.509 certificate.
# -noout: Do not output the encoded version of the certificate.
# -text: Print the certificate details (command returns a non-zero exit code on failure).
if echo "$DECODED_DATA" | openssl x509 -noout -text > /dev/null 2>&1; then
IS_CERT="Yes"
fi
fi
# If it is a certificate, print the details.
if [ "$IS_CERT" == "Yes" ]; then
printf "%-40s %-50s %-30s %-30s %-10s\n" "$ns" "$SECRET_NAME" "$SECRET_TYPE" "$key" "$IS_CERT"
fi
done
done
done
echo "========================================================================================================================"
echo "Scan complete."How the Script Works
- Fetch Namespaces: The script begins by retrieving a list of all namespaces in the cluster. You can modify the
NAMESPACESvariable to target specific namespaces or exclude certain ones to narrow the scope of the scan. - Iterate and Fetch Secrets: It loops through each namespace and fetches all associated Secrets in JSON format.
- Process Each Secret: Using the
jqutility, the script parses the JSON output to access the metadata (name,type) and thedatafield of each Secret. - Decode Data Fields: For each key within the
datamap, the script extracts the base64-encoded value and decodes it. - Initial Content Check: It performs a preliminary check to see if the decoded string contains the
-----BEGIN CERTIFICATE-----header. This is a quick way to filter out data that is clearly not a PEM-encoded certificate. - Cryptographic Validation: If the header is found, the script pipes the decoded data to
openssl x509 -noout -text. This command attempts to parse the data as an X.509 certificate. If the parsing is successful (exit code 0), the data is confirmed to be a valid certificate. - Formatted Output: Once a certificate is validated, the script prints its details—including the namespace, Secret name, Secret type, and data key—in a clean, tabular format.
Sample Output
Executing the script in a live cluster will produce output similar to the following. This table provides a clear and immediate inventory of all discovered certificates.
Starting scan for the following namespaces:
assisted-installer
default
demo
kube-node-lease
kube-public
kube-system
metax-operator
openshift
openshift-apiserver
openshift-apiserver-operator
openshift-authentication
openshift-authentication-operator
openshift-catalogd
openshift-cloud-controller-manager
openshift-cloud-controller-manager-operator
openshift-cloud-credential-operator
openshift-cloud-network-config-controller
openshift-cloud-platform-infra
openshift-cluster-csi-drivers
openshift-cluster-machine-approver
openshift-cluster-node-tuning-operator
openshift-cluster-olm-operator
openshift-cluster-samples-operator
openshift-cluster-storage-operator
openshift-cluster-version
openshift-config
openshift-config-managed
openshift-config-operator
openshift-console
openshift-console-operator
openshift-console-user-settings
openshift-controller-manager
openshift-controller-manager-operator
openshift-dns
openshift-dns-operator
openshift-etcd
openshift-etcd-operator
openshift-host-network
openshift-image-registry
openshift-infra
openshift-ingress
openshift-ingress-canary
openshift-ingress-operator
openshift-insights
openshift-kni-infra
openshift-kube-apiserver
openshift-kube-apiserver-operator
openshift-kube-controller-manager
openshift-kube-controller-manager-operator
openshift-kube-scheduler
openshift-kube-scheduler-operator
openshift-kube-storage-version-migrator
openshift-kube-storage-version-migrator-operator
openshift-machine-api
openshift-machine-config-operator
openshift-marketplace
openshift-monitoring
openshift-multus
openshift-network-console
openshift-network-diagnostics
openshift-network-node-identity
openshift-network-operator
openshift-nfd
openshift-node
openshift-nutanix-infra
openshift-oauth-apiserver
openshift-openstack-infra
openshift-operator-controller
openshift-operator-lifecycle-manager
openshift-operators
openshift-ovirt-infra
openshift-ovn-kubernetes
openshift-route-controller-manager
openshift-service-ca
openshift-service-ca-operator
openshift-user-workload-monitoring
openshift-vsphere-infra
========================================================================================================================
NAMESPACE SECRET_NAME SECRET_TYPE DATA_KEY IS_CERT?
========================================================================================================================
openshift-apiserver etcd-client kubernetes.io/tls tls.crt Yes
openshift-apiserver serving-cert kubernetes.io/tls tls.crt Yes
openshift-apiserver-operator openshift-apiserver-operator-serving-cert kubernetes.io/tls tls.crt Yes
openshift-authentication v4-0-config-system-router-certs Opaque apps.demo-01-rhsys.wzhlab.top Yes
openshift-authentication v4-0-config-system-serving-cert kubernetes.io/tls tls.crt Yes
openshift-authentication-operator serving-cert kubernetes.io/tls tls.crt Yes
openshift-catalogd catalogserver-cert kubernetes.io/tls tls.crt Yes
openshift-cloud-controller-manager-operator cloud-controller-manager-operator-tls kubernetes.io/tls tls.crt Yes
openshift-cloud-credential-operator cloud-credential-operator-serving-cert kubernetes.io/tls tls.crt Yes
openshift-cluster-machine-approver machine-approver-tls kubernetes.io/tls tls.crt Yes
openshift-cluster-node-tuning-operator node-tuning-operator-tls kubernetes.io/tls tls.crt Yes
openshift-cluster-node-tuning-operator performance-addon-operator-webhook-cert kubernetes.io/tls tls.crt Yes
openshift-cluster-olm-operator cluster-olm-operator-serving-cert kubernetes.io/tls tls.crt Yes
openshift-cluster-samples-operator samples-operator-tls kubernetes.io/tls tls.crt Yes
openshift-cluster-storage-operator cluster-storage-operator-serving-cert kubernetes.io/tls tls.crt Yes
openshift-cluster-storage-operator serving-cert kubernetes.io/tls tls.crt Yes
openshift-cluster-version cluster-version-operator-serving-cert kubernetes.io/tls tls.crt Yes
openshift-config etcd-client kubernetes.io/tls tls.crt Yes
openshift-config-managed etc-pki-entitlement Opaque entitlement.pem Yes
openshift-config-managed kube-controller-manager-client-cert-key kubernetes.io/tls tls.crt Yes
openshift-config-managed kube-scheduler-client-cert-key kubernetes.io/tls tls.crt Yes
openshift-config-managed router-certs Opaque apps.demo-01-rhsys.wzhlab.top Yes
openshift-config-operator config-operator-serving-cert kubernetes.io/tls tls.crt Yes
openshift-console console-serving-cert kubernetes.io/tls tls.crt Yes
openshift-console-operator serving-cert kubernetes.io/tls tls.crt Yes
openshift-controller-manager serving-cert kubernetes.io/tls tls.crt Yes
openshift-controller-manager-operator openshift-controller-manager-operator-serving-cert kubernetes.io/tls tls.crt Yes
openshift-dns dns-default-metrics-tls kubernetes.io/tls tls.crt Yes
openshift-dns-operator metrics-tls kubernetes.io/tls tls.crt Yes
openshift-etcd etcd-all-certs Opaque etcd-peer-master-01-demo.crt Yes
openshift-etcd etcd-all-certs Opaque etcd-peer-master-02-demo.crt Yes
openshift-etcd etcd-all-certs Opaque etcd-peer-master-03-demo.crt Yes
openshift-etcd etcd-all-certs Opaque etcd-serving-master-01-demo.crt Yes
openshift-etcd etcd-all-certs Opaque etcd-serving-master-02-demo.crt Yes
openshift-etcd etcd-all-certs Opaque etcd-serving-master-03-demo.crt Yes
openshift-etcd etcd-all-certs Opaque etcd-serving-metrics-master-01-demo.crt Yes
openshift-etcd etcd-all-certs Opaque etcd-serving-metrics-master-02-demo.crt Yes
openshift-etcd etcd-all-certs Opaque etcd-serving-metrics-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-10 Opaque etcd-peer-master-01-demo.crt Yes
openshift-etcd etcd-all-certs-10 Opaque etcd-peer-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-10 Opaque etcd-peer-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-10 Opaque etcd-serving-master-01-demo.crt Yes
openshift-etcd etcd-all-certs-10 Opaque etcd-serving-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-10 Opaque etcd-serving-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-10 Opaque etcd-serving-metrics-master-01-demo.crt Yes
openshift-etcd etcd-all-certs-10 Opaque etcd-serving-metrics-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-10 Opaque etcd-serving-metrics-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-6 Opaque etcd-peer-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-6 Opaque etcd-peer-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-6 Opaque etcd-serving-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-6 Opaque etcd-serving-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-6 Opaque etcd-serving-metrics-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-6 Opaque etcd-serving-metrics-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-7 Opaque etcd-peer-master-01-demo.crt Yes
openshift-etcd etcd-all-certs-7 Opaque etcd-peer-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-7 Opaque etcd-peer-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-7 Opaque etcd-serving-master-01-demo.crt Yes
openshift-etcd etcd-all-certs-7 Opaque etcd-serving-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-7 Opaque etcd-serving-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-7 Opaque etcd-serving-metrics-master-01-demo.crt Yes
openshift-etcd etcd-all-certs-7 Opaque etcd-serving-metrics-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-7 Opaque etcd-serving-metrics-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-8 Opaque etcd-peer-master-01-demo.crt Yes
openshift-etcd etcd-all-certs-8 Opaque etcd-peer-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-8 Opaque etcd-peer-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-8 Opaque etcd-serving-master-01-demo.crt Yes
openshift-etcd etcd-all-certs-8 Opaque etcd-serving-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-8 Opaque etcd-serving-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-8 Opaque etcd-serving-metrics-master-01-demo.crt Yes
openshift-etcd etcd-all-certs-8 Opaque etcd-serving-metrics-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-8 Opaque etcd-serving-metrics-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-9 Opaque etcd-peer-master-01-demo.crt Yes
openshift-etcd etcd-all-certs-9 Opaque etcd-peer-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-9 Opaque etcd-peer-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-9 Opaque etcd-serving-master-01-demo.crt Yes
openshift-etcd etcd-all-certs-9 Opaque etcd-serving-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-9 Opaque etcd-serving-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-9 Opaque etcd-serving-metrics-master-01-demo.crt Yes
openshift-etcd etcd-all-certs-9 Opaque etcd-serving-metrics-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-9 Opaque etcd-serving-metrics-master-03-demo.crt Yes
openshift-etcd etcd-client kubernetes.io/tls tls.crt Yes
openshift-etcd etcd-metric-client kubernetes.io/tls tls.crt Yes
openshift-etcd etcd-metric-signer kubernetes.io/tls tls.crt Yes
openshift-etcd etcd-peer-master-01-demo kubernetes.io/tls tls.crt Yes
openshift-etcd etcd-peer-master-02-demo kubernetes.io/tls tls.crt Yes
openshift-etcd etcd-peer-master-03-demo kubernetes.io/tls tls.crt Yes
openshift-etcd etcd-serving-master-01-demo kubernetes.io/tls tls.crt Yes
openshift-etcd etcd-serving-master-02-demo kubernetes.io/tls tls.crt Yes
openshift-etcd etcd-serving-master-03-demo kubernetes.io/tls tls.crt Yes
openshift-etcd etcd-serving-metrics-master-01-demo kubernetes.io/tls tls.crt Yes
openshift-etcd etcd-serving-metrics-master-02-demo kubernetes.io/tls tls.crt Yes
openshift-etcd etcd-serving-metrics-master-03-demo kubernetes.io/tls tls.crt Yes
openshift-etcd etcd-signer kubernetes.io/tls tls.crt Yes
openshift-etcd serving-cert kubernetes.io/tls tls.crt Yes
openshift-etcd-operator etcd-client kubernetes.io/tls tls.crt Yes
openshift-etcd-operator etcd-metric-client kubernetes.io/tls tls.crt Yes
openshift-etcd-operator etcd-operator-serving-cert kubernetes.io/tls tls.crt Yes
openshift-image-registry image-registry-operator-tls kubernetes.io/tls tls.crt Yes
openshift-ingress router-certs-default kubernetes.io/tls tls.crt Yes
openshift-ingress router-metrics-certs-default kubernetes.io/tls tls.crt Yes
openshift-ingress-canary canary-serving-cert kubernetes.io/tls tls.crt Yes
openshift-ingress-operator metrics-tls kubernetes.io/tls tls.crt Yes
openshift-ingress-operator router-ca kubernetes.io/tls tls.crt Yes
openshift-insights openshift-insights-serving-cert kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver aggregator-client kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver check-endpoints-client-cert-key kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver control-plane-node-admin-client-cert-key kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver etcd-client kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver etcd-client-10 kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver etcd-client-11 kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver etcd-client-12 kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver etcd-client-13 kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver etcd-client-9 kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver external-loadbalancer-serving-certkey kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver internal-loadbalancer-serving-certkey kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver kubelet-client kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver localhost-recovery-client-token kubernetes.io/service-account-token ca.crt Yes
openshift-kube-apiserver localhost-recovery-client-token kubernetes.io/service-account-token service-ca.crt Yes
openshift-kube-apiserver localhost-recovery-client-token-10 Opaque ca.crt Yes
openshift-kube-apiserver localhost-recovery-client-token-10 Opaque service-ca.crt Yes
openshift-kube-apiserver localhost-recovery-client-token-11 Opaque ca.crt Yes
openshift-kube-apiserver localhost-recovery-client-token-11 Opaque service-ca.crt Yes
openshift-kube-apiserver localhost-recovery-client-token-12 Opaque ca.crt Yes
openshift-kube-apiserver localhost-recovery-client-token-12 Opaque service-ca.crt Yes
openshift-kube-apiserver localhost-recovery-client-token-13 Opaque ca.crt Yes
openshift-kube-apiserver localhost-recovery-client-token-13 Opaque service-ca.crt Yes
openshift-kube-apiserver localhost-recovery-client-token-9 Opaque ca.crt Yes
openshift-kube-apiserver localhost-recovery-client-token-9 Opaque service-ca.crt Yes
openshift-kube-apiserver localhost-recovery-serving-certkey kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver localhost-recovery-serving-certkey-10 kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver localhost-recovery-serving-certkey-11 kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver localhost-recovery-serving-certkey-12 kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver localhost-recovery-serving-certkey-13 kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver localhost-recovery-serving-certkey-9 kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver localhost-serving-cert-certkey kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver service-network-serving-certkey kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver-operator aggregator-client-signer kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver-operator kube-apiserver-operator-serving-cert kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver-operator kube-apiserver-to-kubelet-signer kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver-operator kube-control-plane-signer kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver-operator loadbalancer-serving-signer kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver-operator localhost-recovery-serving-signer kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver-operator localhost-serving-signer kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver-operator node-system-admin-client kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver-operator node-system-admin-signer kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver-operator service-network-serving-signer kubernetes.io/tls tls.crt Yes
openshift-kube-controller-manager csr-signer kubernetes.io/tls tls.crt Yes
openshift-kube-controller-manager kube-controller-manager-client-cert-key kubernetes.io/tls tls.crt Yes
openshift-kube-controller-manager localhost-recovery-client-token kubernetes.io/service-account-token ca.crt Yes
openshift-kube-controller-manager localhost-recovery-client-token kubernetes.io/service-account-token service-ca.crt Yes
openshift-kube-controller-manager localhost-recovery-client-token-1 Opaque ca.crt Yes
openshift-kube-controller-manager localhost-recovery-client-token-2 Opaque ca.crt Yes
openshift-kube-controller-manager localhost-recovery-client-token-3 Opaque ca.crt Yes
openshift-kube-controller-manager localhost-recovery-client-token-4 Opaque ca.crt Yes
openshift-kube-controller-manager localhost-recovery-client-token-4 Opaque service-ca.crt Yes
openshift-kube-controller-manager localhost-recovery-client-token-5 Opaque ca.crt Yes
openshift-kube-controller-manager localhost-recovery-client-token-5 Opaque service-ca.crt Yes
openshift-kube-controller-manager serving-cert kubernetes.io/tls tls.crt Yes
openshift-kube-controller-manager serving-cert-1 kubernetes.io/tls tls.crt Yes
openshift-kube-controller-manager serving-cert-2 kubernetes.io/tls tls.crt Yes
openshift-kube-controller-manager serving-cert-3 kubernetes.io/tls tls.crt Yes
openshift-kube-controller-manager serving-cert-4 kubernetes.io/tls tls.crt Yes
openshift-kube-controller-manager serving-cert-5 kubernetes.io/tls tls.crt Yes
openshift-kube-controller-manager-operator csr-signer kubernetes.io/tls tls.crt Yes
openshift-kube-controller-manager-operator csr-signer-signer kubernetes.io/tls tls.crt Yes
openshift-kube-controller-manager-operator kube-controller-manager-operator-serving-cert kubernetes.io/tls tls.crt Yes
openshift-kube-scheduler kube-scheduler-client-cert-key kubernetes.io/tls tls.crt Yes
openshift-kube-scheduler localhost-recovery-client-token kubernetes.io/service-account-token ca.crt Yes
openshift-kube-scheduler localhost-recovery-client-token kubernetes.io/service-account-token service-ca.crt Yes
openshift-kube-scheduler localhost-recovery-client-token-1 Opaque ca.crt Yes
openshift-kube-scheduler localhost-recovery-client-token-2 Opaque ca.crt Yes
openshift-kube-scheduler localhost-recovery-client-token-3 Opaque ca.crt Yes
openshift-kube-scheduler localhost-recovery-client-token-4 Opaque ca.crt Yes
openshift-kube-scheduler localhost-recovery-client-token-4 Opaque service-ca.crt Yes
openshift-kube-scheduler serving-cert kubernetes.io/tls tls.crt Yes
openshift-kube-scheduler serving-cert-1 kubernetes.io/tls tls.crt Yes
openshift-kube-scheduler serving-cert-2 kubernetes.io/tls tls.crt Yes
openshift-kube-scheduler serving-cert-3 kubernetes.io/tls tls.crt Yes
openshift-kube-scheduler serving-cert-4 kubernetes.io/tls tls.crt Yes
openshift-kube-scheduler-operator kube-scheduler-operator-serving-cert kubernetes.io/tls tls.crt Yes
openshift-kube-storage-version-migrator-operator serving-cert kubernetes.io/tls tls.crt Yes
openshift-machine-api baremetal-operator-webhook-server-cert kubernetes.io/tls tls.crt Yes
openshift-machine-api cluster-autoscaler-operator-cert kubernetes.io/tls tls.crt Yes
openshift-machine-api cluster-baremetal-operator-tls kubernetes.io/tls tls.crt Yes
openshift-machine-api cluster-baremetal-webhook-server-cert kubernetes.io/tls tls.crt Yes
openshift-machine-api control-plane-machine-set-operator-tls kubernetes.io/tls tls.crt Yes
openshift-machine-api machine-api-controllers-tls kubernetes.io/tls tls.crt Yes
openshift-machine-api machine-api-operator-machine-webhook-cert kubernetes.io/tls tls.crt Yes
openshift-machine-api machine-api-operator-tls kubernetes.io/tls tls.crt Yes
openshift-machine-api machine-api-operator-webhook-cert kubernetes.io/tls tls.crt Yes
openshift-machine-api metal3-ironic-tls Opaque tls.crt Yes
openshift-machine-config-operator machine-config-server-tls Opaque tls.crt Yes
openshift-machine-config-operator mcc-proxy-tls kubernetes.io/tls tls.crt Yes
openshift-machine-config-operator mco-proxy-tls kubernetes.io/tls tls.crt Yes
openshift-machine-config-operator node-bootstrapper-token kubernetes.io/service-account-token ca.crt Yes
openshift-machine-config-operator node-bootstrapper-token kubernetes.io/service-account-token service-ca.crt Yes
openshift-machine-config-operator proxy-tls kubernetes.io/tls tls.crt Yes
openshift-marketplace marketplace-operator-metrics kubernetes.io/tls tls.crt Yes
-bash: warning: command substitution: ignored null byte in input
openshift-monitoring alertmanager-main-tls kubernetes.io/tls tls.crt Yes
openshift-monitoring cluster-monitoring-operator-tls kubernetes.io/tls tls.crt Yes
openshift-monitoring federate-client-certs Opaque tls.crt Yes
openshift-monitoring grpc-tls Opaque ca.crt Yes
openshift-monitoring grpc-tls Opaque prometheus-server.crt Yes
openshift-monitoring grpc-tls Opaque thanos-querier-client.crt Yes
openshift-monitoring kube-state-metrics-tls kubernetes.io/tls tls.crt Yes
openshift-monitoring metrics-client-certs Opaque tls.crt Yes
openshift-monitoring metrics-server-tls kubernetes.io/tls tls.crt Yes
openshift-monitoring metrics-server-v5ipfl6pkh1c Opaque client-ca-file Yes
openshift-monitoring metrics-server-v5ipfl6pkh1c Opaque requestheader-client-ca-file Yes
openshift-monitoring metrics-server-v5ipfl6pkh1c Opaque tls.crt Yes
openshift-monitoring monitoring-plugin-cert kubernetes.io/tls tls.crt Yes
openshift-monitoring node-exporter-tls kubernetes.io/tls tls.crt Yes
openshift-monitoring openshift-state-metrics-tls kubernetes.io/tls tls.crt Yes
-bash: warning: command substitution: ignored null byte in input
openshift-monitoring prometheus-k8s-grpc-tls-ai1pjcpq5svdd Opaque ca.crt Yes
openshift-monitoring prometheus-k8s-grpc-tls-ai1pjcpq5svdd Opaque server.crt Yes
openshift-monitoring prometheus-k8s-thanos-sidecar-tls kubernetes.io/tls tls.crt Yes
openshift-monitoring prometheus-k8s-tls kubernetes.io/tls tls.crt Yes
openshift-monitoring prometheus-k8s-tls-assets-0 Opaque 0_openshift-etcd-operator_etcd-metric-client_tls.crt Yes
openshift-monitoring prometheus-k8s-tls-assets-0 Opaque 1_openshift-etcd-operator_etcd-metric-serving-ca_ca-bundle.crt Yes
openshift-monitoring prometheus-operator-admission-webhook-tls kubernetes.io/tls tls.crt Yes
openshift-monitoring prometheus-operator-tls kubernetes.io/tls tls.crt Yes
openshift-monitoring telemeter-client-tls kubernetes.io/tls tls.crt Yes
openshift-monitoring thanos-querier-grpc-tls-2lj4ol37s9vin Opaque ca.crt Yes
openshift-monitoring thanos-querier-grpc-tls-2lj4ol37s9vin Opaque client.crt Yes
openshift-monitoring thanos-querier-tls kubernetes.io/tls tls.crt Yes
openshift-multus metrics-daemon-secret kubernetes.io/tls tls.crt Yes
openshift-multus multus-admission-controller-secret kubernetes.io/tls tls.crt Yes
openshift-network-console networking-console-plugin-cert kubernetes.io/tls tls.crt Yes
openshift-network-node-identity network-node-identity-ca kubernetes.io/tls tls.crt Yes
openshift-network-node-identity network-node-identity-cert kubernetes.io/tls tls.crt Yes
openshift-network-operator metrics-tls kubernetes.io/tls tls.crt Yes
openshift-nfd node-feature-discovery-operator-tls kubernetes.io/tls tls.crt Yes
openshift-oauth-apiserver etcd-client kubernetes.io/tls tls.crt Yes
openshift-oauth-apiserver openshift-authenticator-certs Opaque tls.crt Yes
openshift-oauth-apiserver serving-cert kubernetes.io/tls tls.crt Yes
openshift-operator-lifecycle-manager catalog-operator-serving-cert kubernetes.io/tls tls.crt Yes
openshift-operator-lifecycle-manager olm-operator-serving-cert kubernetes.io/tls tls.crt Yes
openshift-operator-lifecycle-manager package-server-manager-serving-cert kubernetes.io/tls tls.crt Yes
openshift-operator-lifecycle-manager packageserver-service-cert kubernetes.io/tls olmCAKey Yes
openshift-operator-lifecycle-manager packageserver-service-cert kubernetes.io/tls tls.crt Yes
openshift-operator-lifecycle-manager pprof-cert kubernetes.io/tls tls.crt Yes
openshift-ovn-kubernetes ovn-ca kubernetes.io/tls tls.crt Yes
openshift-ovn-kubernetes ovn-cert kubernetes.io/tls tls.crt Yes
openshift-ovn-kubernetes ovn-control-plane-metrics-cert kubernetes.io/tls tls.crt Yes
openshift-ovn-kubernetes ovn-node-metrics-cert kubernetes.io/tls tls.crt Yes
openshift-ovn-kubernetes signer-ca kubernetes.io/tls tls.crt Yes
openshift-ovn-kubernetes signer-cert kubernetes.io/tls tls.crt Yes
openshift-route-controller-manager serving-cert kubernetes.io/tls tls.crt Yes
openshift-service-ca signing-key kubernetes.io/tls tls.crt Yes
openshift-service-ca-operator serving-cert kubernetes.io/tls tls.crt Yes
========================================================================================================================
Scan complete.3. Comprehensive Discovery: Scanning Both Secrets and ConfigMaps
While Secrets are the primary resource for sensitive data, it is also a common practice to store public certificates and certificate authority (CA) bundles in ConfigMaps. These are often used to distribute trust anchors to applications within the cluster. To ensure a complete audit, it is essential to extend our search to include ConfigMaps. The following enhanced script scans both resource types, providing a unified view of all certificates in the cluster.
#!/bin/bash
# ==============================================================================
# Script Function: Iterate through all Secrets and ConfigMaps in all namespaces
# of an OpenShift cluster, decode their data, and identify any
# valid X.509 certificates or private keys.
# ==============================================================================
set -eo pipefail
# Get a list of all non-core system namespaces.
NAMESPACES=$(oc get ns -o jsonpath='{.items[*].metadata.name}' | xargs -n1)
echo "Starting scan for the following namespaces: "
echo "$NAMESPACES"
echo "==========================================================================================================================================="
printf "%-40s %-50s %-15s %-30s %-30s %-10s\n" "NAMESPACE" "RESOURCE_NAME" "RESOURCE_TYPE" "RESOURCE_KIND" "DATA_KEY" "IS_CERT?"
echo "==========================================================================================================================================="
# Function to process a given resource type (Secret or ConfigMap)
process_resources() {
local ns="$1"
local resource_kind="$2" # "secret" or "configmap"
# Get all resources of the specified kind in the current namespace
RESOURCES_JSON=$(oc get "$resource_kind" -n "$ns" -o json)
# Determine the jq path for data (.data is used for both)
local data_path=".data"
# Use jq to process each resource individually
echo "$RESOURCES_JSON" | jq -c --arg kind "$resource_kind" '.items[] | {name: .metadata.name, type: .type, kind: $kind, data: .data}' | while read -r resource_line; do
RESOURCE_NAME=$(echo "$resource_line" | jq -r '.name')
# For ConfigMaps, .type is null, so provide a default value
RESOURCE_TYPE=$(echo "$resource_line" | jq -r '.type // "N/A"')
# Skip if the resource does not have a .data field
if ! echo "$resource_line" | jq -e '.data' > /dev/null; then
continue
fi
# Iterate through all keys under the .data field
echo "$resource_line" | jq -r '.data | keys[]' | while read -r key; do
# Extract the value for the current key
RAW_DATA=$(echo "$resource_line" | jq -r --arg k "$key" '.data[$k]')
DECODED_DATA=""
# Secrets have base64 encoded data, ConfigMaps do not.
if [ "$resource_kind" == "secret" ]; then
DECODED_DATA=$(echo "$RAW_DATA" | base64 -d 2>/dev/null)
else
DECODED_DATA="$RAW_DATA"
fi
IS_CERT="No"
# Check if the decoded data looks like a certificate and validate with openssl
if [[ "$DECODED_DATA" == *"-----BEGIN CERTIFICATE-----"* ]]; then
if echo "$DECODED_DATA" | openssl x509 -noout -text > /dev/null 2>&1; then
IS_CERT="Yes"
fi
fi
# If it is a certificate, print the details.
if [ "$IS_CERT" == "Yes" ]; then
printf "%-40s %-50s %-15s %-30s %-30s %-10s\n" "$ns" "$RESOURCE_NAME" "$resource_kind" "$RESOURCE_TYPE" "$key" "$IS_CERT"
fi
done
done
}
# Iterate through each namespace
for ns in $NAMESPACES; do
# Process Secrets
process_resources "$ns" "secret"
# Process ConfigMaps
process_resources "$ns" "configmap"
done
echo "==========================================================================================================================================="
echo "Scan complete."Sample Output
Here is an example of the output generated by the script when run on a demo cluster.
Starting scan for the following namespaces:
assisted-installer
default
demo
dify
kube-node-lease
kube-public
kube-system
metax-operator
openshift
openshift-apiserver
openshift-apiserver-operator
openshift-authentication
openshift-authentication-operator
openshift-catalogd
openshift-cloud-controller-manager
openshift-cloud-controller-manager-operator
openshift-cloud-credential-operator
openshift-cloud-network-config-controller
openshift-cloud-platform-infra
openshift-cluster-csi-drivers
openshift-cluster-machine-approver
openshift-cluster-node-tuning-operator
openshift-cluster-olm-operator
openshift-cluster-samples-operator
openshift-cluster-storage-operator
openshift-cluster-version
openshift-cnv
openshift-config
openshift-config-managed
openshift-config-operator
openshift-console
openshift-console-operator
openshift-console-user-settings
openshift-controller-manager
openshift-controller-manager-operator
openshift-dns
openshift-dns-operator
openshift-etcd
openshift-etcd-operator
openshift-host-network
openshift-image-registry
openshift-infra
openshift-ingress
openshift-ingress-canary
openshift-ingress-operator
openshift-insights
openshift-kni-infra
openshift-kube-apiserver
openshift-kube-apiserver-operator
openshift-kube-controller-manager
openshift-kube-controller-manager-operator
openshift-kube-scheduler
openshift-kube-scheduler-operator
openshift-kube-storage-version-migrator
openshift-kube-storage-version-migrator-operator
openshift-machine-api
openshift-machine-config-operator
openshift-marketplace
openshift-monitoring
openshift-multus
openshift-network-console
openshift-network-diagnostics
openshift-network-node-identity
openshift-network-operator
openshift-nfd
openshift-node
openshift-nutanix-infra
openshift-oauth-apiserver
openshift-openstack-infra
openshift-operator-controller
openshift-operator-lifecycle-manager
openshift-operators
openshift-ovirt-infra
openshift-ovn-kubernetes
openshift-route-controller-manager
openshift-service-ca
openshift-service-ca-operator
openshift-user-workload-monitoring
openshift-virtualization-os-images
openshift-vsphere-infra
===========================================================================================================================================
NAMESPACE RESOURCE_NAME RESOURCE_TYPE RESOURCE_KIND DATA_KEY IS_CERT?
===========================================================================================================================================
assisted-installer kube-root-ca.crt configmap N/A ca.crt Yes
assisted-installer openshift-service-ca.crt configmap N/A service-ca.crt Yes
default kube-root-ca.crt configmap N/A ca.crt Yes
default openshift-service-ca.crt configmap N/A service-ca.crt Yes
demo kube-root-ca.crt configmap N/A ca.crt Yes
demo openshift-service-ca.crt configmap N/A service-ca.crt Yes
dify kube-root-ca.crt configmap N/A ca.crt Yes
dify openshift-service-ca.crt configmap N/A service-ca.crt Yes
kube-node-lease kube-root-ca.crt configmap N/A ca.crt Yes
kube-node-lease openshift-service-ca.crt configmap N/A service-ca.crt Yes
kube-public kube-root-ca.crt configmap N/A ca.crt Yes
kube-public openshift-service-ca.crt configmap N/A service-ca.crt Yes
kube-system extension-apiserver-authentication configmap N/A client-ca-file Yes
kube-system extension-apiserver-authentication configmap N/A requestheader-client-ca-file Yes
kube-system kube-root-ca.crt configmap N/A ca.crt Yes
kube-system openshift-service-ca.crt configmap N/A service-ca.crt Yes
kube-system root-ca configmap N/A ca.crt Yes
metax-operator kube-root-ca.crt configmap N/A ca.crt Yes
metax-operator openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift kube-root-ca.crt configmap N/A ca.crt Yes
openshift openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-apiserver etcd-client secret kubernetes.io/tls tls.crt Yes
openshift-apiserver serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-apiserver etcd-serving-ca configmap N/A ca-bundle.crt Yes
openshift-apiserver kube-root-ca.crt configmap N/A ca.crt Yes
openshift-apiserver openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-apiserver-operator openshift-apiserver-operator-serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-apiserver-operator kube-root-ca.crt configmap N/A ca.crt Yes
openshift-apiserver-operator openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-authentication v4-0-config-system-router-certs secret Opaque apps.demo-01-rhsys.wzhlab.top Yes
openshift-authentication v4-0-config-system-serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-authentication kube-root-ca.crt configmap N/A ca.crt Yes
openshift-authentication openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-authentication v4-0-config-system-service-ca configmap N/A service-ca.crt Yes
openshift-authentication-operator serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-authentication-operator kube-root-ca.crt configmap N/A ca.crt Yes
openshift-authentication-operator openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-authentication-operator service-ca-bundle configmap N/A service-ca.crt Yes
openshift-catalogd catalogserver-cert secret kubernetes.io/tls tls.crt Yes
openshift-catalogd kube-root-ca.crt configmap N/A ca.crt Yes
openshift-catalogd openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-cloud-controller-manager kube-root-ca.crt configmap N/A ca.crt Yes
openshift-cloud-controller-manager openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-cloud-controller-manager-operator cloud-controller-manager-operator-tls secret kubernetes.io/tls tls.crt Yes
openshift-cloud-controller-manager-operator kube-root-ca.crt configmap N/A ca.crt Yes
openshift-cloud-controller-manager-operator openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-cloud-credential-operator cloud-credential-operator-serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-cloud-credential-operator kube-root-ca.crt configmap N/A ca.crt Yes
openshift-cloud-credential-operator openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-cloud-network-config-controller kube-root-ca.crt configmap N/A ca.crt Yes
openshift-cloud-network-config-controller openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-cloud-platform-infra kube-root-ca.crt configmap N/A ca.crt Yes
openshift-cloud-platform-infra openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-cluster-csi-drivers kube-root-ca.crt configmap N/A ca.crt Yes
openshift-cluster-csi-drivers openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-cluster-machine-approver machine-approver-tls secret kubernetes.io/tls tls.crt Yes
openshift-cluster-machine-approver kube-root-ca.crt configmap N/A ca.crt Yes
openshift-cluster-machine-approver openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-cluster-node-tuning-operator node-tuning-operator-tls secret kubernetes.io/tls tls.crt Yes
openshift-cluster-node-tuning-operator performance-addon-operator-webhook-cert secret kubernetes.io/tls tls.crt Yes
openshift-cluster-node-tuning-operator kube-root-ca.crt configmap N/A ca.crt Yes
openshift-cluster-node-tuning-operator openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-cluster-olm-operator cluster-olm-operator-serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-cluster-olm-operator kube-root-ca.crt configmap N/A ca.crt Yes
openshift-cluster-olm-operator openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-cluster-samples-operator samples-operator-tls secret kubernetes.io/tls tls.crt Yes
openshift-cluster-samples-operator kube-root-ca.crt configmap N/A ca.crt Yes
openshift-cluster-samples-operator openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-cluster-storage-operator cluster-storage-operator-serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-cluster-storage-operator serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-cluster-storage-operator kube-root-ca.crt configmap N/A ca.crt Yes
openshift-cluster-storage-operator openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-cluster-version cluster-version-operator-serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-cluster-version kube-root-ca.crt configmap N/A ca.crt Yes
openshift-cluster-version openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-cnv cdi-apiserver-server-cert secret kubernetes.io/tls tls.crt Yes
openshift-cnv cdi-apiserver-signer secret kubernetes.io/tls tls.crt Yes
openshift-cnv cdi-uploadproxy-server-cert secret kubernetes.io/tls tls.crt Yes
openshift-cnv cdi-uploadproxy-signer secret kubernetes.io/tls tls.crt Yes
openshift-cnv cdi-uploadserver-client-cert secret kubernetes.io/tls tls.crt Yes
openshift-cnv cdi-uploadserver-client-signer secret kubernetes.io/tls tls.crt Yes
openshift-cnv cdi-uploadserver-signer secret kubernetes.io/tls tls.crt Yes
openshift-cnv console-proxy-serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-cnv hco-webhook-service-cert secret kubernetes.io/tls olmCAKey Yes
openshift-cnv hco-webhook-service-cert secret kubernetes.io/tls tls.crt Yes
openshift-cnv hostpath-provisioner-operator-service-cert secret kubernetes.io/tls olmCAKey Yes
openshift-cnv hostpath-provisioner-operator-service-cert secret kubernetes.io/tls tls.crt Yes
openshift-cnv kubemacpool-mutator-ca secret Opaque ca.crt Yes
openshift-cnv kubemacpool-service secret kubernetes.io/tls tls.crt Yes
openshift-cnv kubevirt-ca secret kubernetes.io/tls tls.crt Yes
openshift-cnv kubevirt-controller-certs secret kubernetes.io/tls tls.crt Yes
openshift-cnv kubevirt-export-ca secret kubernetes.io/tls tls.crt Yes
openshift-cnv kubevirt-exportproxy-certs secret kubernetes.io/tls tls.crt Yes
openshift-cnv kubevirt-ipam-controller-webhook-service secret kubernetes.io/tls tls.crt Yes
openshift-cnv kubevirt-operator-certs secret kubernetes.io/tls tls.crt Yes
openshift-cnv kubevirt-virt-api-certs secret kubernetes.io/tls tls.crt Yes
openshift-cnv kubevirt-virt-handler-certs secret kubernetes.io/tls tls.crt Yes
openshift-cnv kubevirt-virt-handler-server-certs secret kubernetes.io/tls tls.crt Yes
openshift-cnv plugin-serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-cnv ssp-operator-service-cert secret kubernetes.io/tls olmCAKey Yes
openshift-cnv ssp-operator-service-cert secret kubernetes.io/tls tls.crt Yes
openshift-cnv virt-template-validator-certs secret kubernetes.io/tls tls.crt Yes
openshift-cnv cdi-apiserver-signer-bundle configmap N/A ca-bundle.crt Yes
openshift-cnv cdi-uploadproxy-signer-bundle configmap N/A ca-bundle.crt Yes
openshift-cnv cdi-uploadserver-client-signer-bundle configmap N/A ca-bundle.crt Yes
openshift-cnv cdi-uploadserver-signer-bundle configmap N/A ca-bundle.crt Yes
openshift-cnv kube-root-ca.crt configmap N/A ca.crt Yes
openshift-cnv kubevirt-ca configmap N/A ca-bundle Yes
openshift-cnv kubevirt-export-ca configmap N/A ca-bundle Yes
openshift-cnv openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-config etcd-client secret kubernetes.io/tls tls.crt Yes
openshift-config admin-kubeconfig-client-ca configmap N/A ca-bundle.crt Yes
openshift-config etcd-ca-bundle configmap N/A ca-bundle.crt Yes
openshift-config etcd-serving-ca configmap N/A ca-bundle.crt Yes
openshift-config initial-kube-apiserver-server-ca configmap N/A ca-bundle.crt Yes
openshift-config kube-root-ca.crt configmap N/A ca.crt Yes
openshift-config openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-config user-ca-bundle configmap N/A ca-bundle.crt Yes
openshift-config-managed etc-pki-entitlement secret Opaque entitlement.pem Yes
openshift-config-managed kube-controller-manager-client-cert-key secret kubernetes.io/tls tls.crt Yes
openshift-config-managed kube-scheduler-client-cert-key secret kubernetes.io/tls tls.crt Yes
openshift-config-managed router-certs secret Opaque apps.demo-01-rhsys.wzhlab.top Yes
openshift-config-managed csr-controller-ca configmap N/A ca-bundle.crt Yes
openshift-config-managed default-ingress-cert configmap N/A ca-bundle.crt Yes
openshift-config-managed kube-apiserver-aggregator-client-ca configmap N/A ca-bundle.crt Yes
openshift-config-managed kube-apiserver-client-ca configmap N/A ca-bundle.crt Yes
openshift-config-managed kube-apiserver-server-ca configmap N/A ca-bundle.crt Yes
openshift-config-managed kube-root-ca.crt configmap N/A ca.crt Yes
openshift-config-managed kubelet-bootstrap-kubeconfig configmap N/A ca-bundle.crt Yes
openshift-config-managed kubelet-serving-ca configmap N/A ca-bundle.crt Yes
openshift-config-managed oauth-serving-cert configmap N/A ca-bundle.crt Yes
openshift-config-managed openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-config-managed service-ca configmap N/A ca-bundle.crt Yes
openshift-config-operator config-operator-serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-config-operator kube-root-ca.crt configmap N/A ca.crt Yes
openshift-config-operator openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-console console-serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-console default-ingress-cert configmap N/A ca-bundle.crt Yes
openshift-console kube-root-ca.crt configmap N/A ca.crt Yes
openshift-console oauth-serving-cert configmap N/A ca-bundle.crt Yes
openshift-console openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-console service-ca configmap N/A service-ca.crt Yes
openshift-console-operator serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-console-operator kube-root-ca.crt configmap N/A ca.crt Yes
openshift-console-operator openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-console-user-settings kube-root-ca.crt configmap N/A ca.crt Yes
openshift-console-user-settings openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-controller-manager serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-controller-manager client-ca configmap N/A ca-bundle.crt Yes
openshift-controller-manager kube-root-ca.crt configmap N/A ca.crt Yes
openshift-controller-manager openshift-service-ca configmap N/A service-ca.crt Yes
openshift-controller-manager openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-controller-manager-operator openshift-controller-manager-operator-serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-controller-manager-operator kube-root-ca.crt configmap N/A ca.crt Yes
openshift-controller-manager-operator openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-dns dns-default-metrics-tls secret kubernetes.io/tls tls.crt Yes
openshift-dns kube-root-ca.crt configmap N/A ca.crt Yes
openshift-dns openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-dns-operator metrics-tls secret kubernetes.io/tls tls.crt Yes
openshift-dns-operator kube-root-ca.crt configmap N/A ca.crt Yes
openshift-dns-operator openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-etcd etcd-all-certs secret Opaque etcd-peer-master-01-demo.crt Yes
openshift-etcd etcd-all-certs secret Opaque etcd-peer-master-02-demo.crt Yes
openshift-etcd etcd-all-certs secret Opaque etcd-peer-master-03-demo.crt Yes
openshift-etcd etcd-all-certs secret Opaque etcd-serving-master-01-demo.crt Yes
openshift-etcd etcd-all-certs secret Opaque etcd-serving-master-02-demo.crt Yes
openshift-etcd etcd-all-certs secret Opaque etcd-serving-master-03-demo.crt Yes
openshift-etcd etcd-all-certs secret Opaque etcd-serving-metrics-master-01-demo.crt Yes
openshift-etcd etcd-all-certs secret Opaque etcd-serving-metrics-master-02-demo.crt Yes
openshift-etcd etcd-all-certs secret Opaque etcd-serving-metrics-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-10 secret Opaque etcd-peer-master-01-demo.crt Yes
openshift-etcd etcd-all-certs-10 secret Opaque etcd-peer-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-10 secret Opaque etcd-peer-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-10 secret Opaque etcd-serving-master-01-demo.crt Yes
openshift-etcd etcd-all-certs-10 secret Opaque etcd-serving-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-10 secret Opaque etcd-serving-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-10 secret Opaque etcd-serving-metrics-master-01-demo.crt Yes
openshift-etcd etcd-all-certs-10 secret Opaque etcd-serving-metrics-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-10 secret Opaque etcd-serving-metrics-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-6 secret Opaque etcd-peer-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-6 secret Opaque etcd-peer-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-6 secret Opaque etcd-serving-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-6 secret Opaque etcd-serving-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-6 secret Opaque etcd-serving-metrics-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-6 secret Opaque etcd-serving-metrics-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-7 secret Opaque etcd-peer-master-01-demo.crt Yes
openshift-etcd etcd-all-certs-7 secret Opaque etcd-peer-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-7 secret Opaque etcd-peer-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-7 secret Opaque etcd-serving-master-01-demo.crt Yes
openshift-etcd etcd-all-certs-7 secret Opaque etcd-serving-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-7 secret Opaque etcd-serving-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-7 secret Opaque etcd-serving-metrics-master-01-demo.crt Yes
openshift-etcd etcd-all-certs-7 secret Opaque etcd-serving-metrics-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-7 secret Opaque etcd-serving-metrics-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-8 secret Opaque etcd-peer-master-01-demo.crt Yes
openshift-etcd etcd-all-certs-8 secret Opaque etcd-peer-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-8 secret Opaque etcd-peer-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-8 secret Opaque etcd-serving-master-01-demo.crt Yes
openshift-etcd etcd-all-certs-8 secret Opaque etcd-serving-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-8 secret Opaque etcd-serving-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-8 secret Opaque etcd-serving-metrics-master-01-demo.crt Yes
openshift-etcd etcd-all-certs-8 secret Opaque etcd-serving-metrics-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-8 secret Opaque etcd-serving-metrics-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-9 secret Opaque etcd-peer-master-01-demo.crt Yes
openshift-etcd etcd-all-certs-9 secret Opaque etcd-peer-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-9 secret Opaque etcd-peer-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-9 secret Opaque etcd-serving-master-01-demo.crt Yes
openshift-etcd etcd-all-certs-9 secret Opaque etcd-serving-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-9 secret Opaque etcd-serving-master-03-demo.crt Yes
openshift-etcd etcd-all-certs-9 secret Opaque etcd-serving-metrics-master-01-demo.crt Yes
openshift-etcd etcd-all-certs-9 secret Opaque etcd-serving-metrics-master-02-demo.crt Yes
openshift-etcd etcd-all-certs-9 secret Opaque etcd-serving-metrics-master-03-demo.crt Yes
openshift-etcd etcd-client secret kubernetes.io/tls tls.crt Yes
openshift-etcd etcd-metric-client secret kubernetes.io/tls tls.crt Yes
openshift-etcd etcd-metric-signer secret kubernetes.io/tls tls.crt Yes
openshift-etcd etcd-peer-master-01-demo secret kubernetes.io/tls tls.crt Yes
openshift-etcd etcd-peer-master-02-demo secret kubernetes.io/tls tls.crt Yes
openshift-etcd etcd-peer-master-03-demo secret kubernetes.io/tls tls.crt Yes
openshift-etcd etcd-serving-master-01-demo secret kubernetes.io/tls tls.crt Yes
openshift-etcd etcd-serving-master-02-demo secret kubernetes.io/tls tls.crt Yes
openshift-etcd etcd-serving-master-03-demo secret kubernetes.io/tls tls.crt Yes
openshift-etcd etcd-serving-metrics-master-01-demo secret kubernetes.io/tls tls.crt Yes
openshift-etcd etcd-serving-metrics-master-02-demo secret kubernetes.io/tls tls.crt Yes
openshift-etcd etcd-serving-metrics-master-03-demo secret kubernetes.io/tls tls.crt Yes
openshift-etcd etcd-signer secret kubernetes.io/tls tls.crt Yes
openshift-etcd serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-etcd etcd-all-bundles configmap N/A metrics-ca-bundle.crt Yes
openshift-etcd etcd-all-bundles configmap N/A server-ca-bundle.crt Yes
openshift-etcd etcd-all-bundles-10 configmap N/A metrics-ca-bundle.crt Yes
openshift-etcd etcd-all-bundles-10 configmap N/A server-ca-bundle.crt Yes
openshift-etcd etcd-all-bundles-6 configmap N/A metrics-ca-bundle.crt Yes
openshift-etcd etcd-all-bundles-6 configmap N/A server-ca-bundle.crt Yes
openshift-etcd etcd-all-bundles-7 configmap N/A metrics-ca-bundle.crt Yes
openshift-etcd etcd-all-bundles-7 configmap N/A server-ca-bundle.crt Yes
openshift-etcd etcd-all-bundles-8 configmap N/A metrics-ca-bundle.crt Yes
openshift-etcd etcd-all-bundles-8 configmap N/A server-ca-bundle.crt Yes
openshift-etcd etcd-all-bundles-9 configmap N/A metrics-ca-bundle.crt Yes
openshift-etcd etcd-all-bundles-9 configmap N/A server-ca-bundle.crt Yes
openshift-etcd etcd-ca-bundle configmap N/A ca-bundle.crt Yes
openshift-etcd etcd-metrics-ca-bundle configmap N/A ca-bundle.crt Yes
openshift-etcd kube-root-ca.crt configmap N/A ca.crt Yes
openshift-etcd openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-etcd-operator etcd-client secret kubernetes.io/tls tls.crt Yes
openshift-etcd-operator etcd-metric-client secret kubernetes.io/tls tls.crt Yes
openshift-etcd-operator etcd-operator-serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-etcd-operator etcd-ca-bundle configmap N/A ca-bundle.crt Yes
openshift-etcd-operator etcd-metric-serving-ca configmap N/A ca-bundle.crt Yes
openshift-etcd-operator etcd-service-ca-bundle configmap N/A service-ca.crt Yes
openshift-etcd-operator kube-root-ca.crt configmap N/A ca.crt Yes
openshift-etcd-operator openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-host-network kube-root-ca.crt configmap N/A ca.crt Yes
openshift-host-network openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-image-registry image-registry-operator-tls secret kubernetes.io/tls tls.crt Yes
openshift-image-registry kube-root-ca.crt configmap N/A ca.crt Yes
openshift-image-registry openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-image-registry serviceca configmap N/A service-ca.crt Yes
openshift-infra kube-root-ca.crt configmap N/A ca.crt Yes
openshift-infra openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-ingress router-certs-default secret kubernetes.io/tls tls.crt Yes
openshift-ingress router-metrics-certs-default secret kubernetes.io/tls tls.crt Yes
openshift-ingress kube-root-ca.crt configmap N/A ca.crt Yes
openshift-ingress openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-ingress service-ca-bundle configmap N/A service-ca.crt Yes
openshift-ingress-canary canary-serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-ingress-canary kube-root-ca.crt configmap N/A ca.crt Yes
openshift-ingress-canary openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-ingress-operator metrics-tls secret kubernetes.io/tls tls.crt Yes
openshift-ingress-operator router-ca secret kubernetes.io/tls tls.crt Yes
openshift-ingress-operator kube-root-ca.crt configmap N/A ca.crt Yes
openshift-ingress-operator openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-insights openshift-insights-serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-insights kube-root-ca.crt configmap N/A ca.crt Yes
openshift-insights openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-insights service-ca-bundle configmap N/A service-ca.crt Yes
openshift-kni-infra kube-root-ca.crt configmap N/A ca.crt Yes
openshift-kni-infra openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-kube-apiserver aggregator-client secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver check-endpoints-client-cert-key secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver control-plane-node-admin-client-cert-key secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver etcd-client secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver etcd-client-10 secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver etcd-client-11 secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver etcd-client-12 secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver etcd-client-13 secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver etcd-client-14 secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver external-loadbalancer-serving-certkey secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver internal-loadbalancer-serving-certkey secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver kubelet-client secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver localhost-recovery-client-token secret kubernetes.io/service-account-token ca.crt Yes
openshift-kube-apiserver localhost-recovery-client-token secret kubernetes.io/service-account-token service-ca.crt Yes
openshift-kube-apiserver localhost-recovery-client-token-10 secret Opaque ca.crt Yes
openshift-kube-apiserver localhost-recovery-client-token-10 secret Opaque service-ca.crt Yes
openshift-kube-apiserver localhost-recovery-client-token-11 secret Opaque ca.crt Yes
openshift-kube-apiserver localhost-recovery-client-token-11 secret Opaque service-ca.crt Yes
openshift-kube-apiserver localhost-recovery-client-token-12 secret Opaque ca.crt Yes
openshift-kube-apiserver localhost-recovery-client-token-12 secret Opaque service-ca.crt Yes
openshift-kube-apiserver localhost-recovery-client-token-13 secret Opaque ca.crt Yes
openshift-kube-apiserver localhost-recovery-client-token-13 secret Opaque service-ca.crt Yes
openshift-kube-apiserver localhost-recovery-client-token-14 secret Opaque ca.crt Yes
openshift-kube-apiserver localhost-recovery-client-token-14 secret Opaque service-ca.crt Yes
openshift-kube-apiserver localhost-recovery-serving-certkey secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver localhost-recovery-serving-certkey-10 secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver localhost-recovery-serving-certkey-11 secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver localhost-recovery-serving-certkey-12 secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver localhost-recovery-serving-certkey-13 secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver localhost-recovery-serving-certkey-14 secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver localhost-serving-cert-certkey secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver service-network-serving-certkey secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver aggregator-client-ca configmap N/A ca-bundle.crt Yes
openshift-kube-apiserver client-ca configmap N/A ca-bundle.crt Yes
openshift-kube-apiserver etcd-serving-ca configmap N/A ca-bundle.crt Yes
openshift-kube-apiserver etcd-serving-ca-10 configmap N/A ca-bundle.crt Yes
openshift-kube-apiserver etcd-serving-ca-11 configmap N/A ca-bundle.crt Yes
openshift-kube-apiserver etcd-serving-ca-12 configmap N/A ca-bundle.crt Yes
openshift-kube-apiserver etcd-serving-ca-13 configmap N/A ca-bundle.crt Yes
openshift-kube-apiserver etcd-serving-ca-14 configmap N/A ca-bundle.crt Yes
openshift-kube-apiserver kube-apiserver-server-ca configmap N/A ca-bundle.crt Yes
openshift-kube-apiserver kube-apiserver-server-ca-10 configmap N/A ca-bundle.crt Yes
openshift-kube-apiserver kube-apiserver-server-ca-11 configmap N/A ca-bundle.crt Yes
openshift-kube-apiserver kube-apiserver-server-ca-12 configmap N/A ca-bundle.crt Yes
openshift-kube-apiserver kube-apiserver-server-ca-13 configmap N/A ca-bundle.crt Yes
openshift-kube-apiserver kube-apiserver-server-ca-14 configmap N/A ca-bundle.crt Yes
openshift-kube-apiserver kube-root-ca.crt configmap N/A ca.crt Yes
openshift-kube-apiserver kubelet-serving-ca configmap N/A ca-bundle.crt Yes
openshift-kube-apiserver kubelet-serving-ca-10 configmap N/A ca-bundle.crt Yes
openshift-kube-apiserver kubelet-serving-ca-11 configmap N/A ca-bundle.crt Yes
openshift-kube-apiserver kubelet-serving-ca-12 configmap N/A ca-bundle.crt Yes
openshift-kube-apiserver kubelet-serving-ca-13 configmap N/A ca-bundle.crt Yes
openshift-kube-apiserver kubelet-serving-ca-14 configmap N/A ca-bundle.crt Yes
openshift-kube-apiserver openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-kube-apiserver-operator aggregator-client-signer secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver-operator kube-apiserver-operator-serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver-operator kube-apiserver-to-kubelet-signer secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver-operator kube-control-plane-signer secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver-operator loadbalancer-serving-signer secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver-operator localhost-recovery-serving-signer secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver-operator localhost-serving-signer secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver-operator node-system-admin-client secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver-operator node-system-admin-signer secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver-operator service-network-serving-signer secret kubernetes.io/tls tls.crt Yes
openshift-kube-apiserver-operator kube-apiserver-to-kubelet-client-ca configmap N/A ca-bundle.crt Yes
openshift-kube-apiserver-operator kube-control-plane-signer-ca configmap N/A ca-bundle.crt Yes
openshift-kube-apiserver-operator kube-root-ca.crt configmap N/A ca.crt Yes
openshift-kube-apiserver-operator loadbalancer-serving-ca configmap N/A ca-bundle.crt Yes
openshift-kube-apiserver-operator localhost-recovery-serving-ca configmap N/A ca-bundle.crt Yes
openshift-kube-apiserver-operator localhost-serving-ca configmap N/A ca-bundle.crt Yes
openshift-kube-apiserver-operator node-system-admin-ca configmap N/A ca-bundle.crt Yes
openshift-kube-apiserver-operator openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-kube-apiserver-operator service-network-serving-ca configmap N/A ca-bundle.crt Yes
openshift-kube-controller-manager csr-signer secret kubernetes.io/tls tls.crt Yes
openshift-kube-controller-manager kube-controller-manager-client-cert-key secret kubernetes.io/tls tls.crt Yes
openshift-kube-controller-manager localhost-recovery-client-token secret kubernetes.io/service-account-token ca.crt Yes
openshift-kube-controller-manager localhost-recovery-client-token secret kubernetes.io/service-account-token service-ca.crt Yes
openshift-kube-controller-manager localhost-recovery-client-token-1 secret Opaque ca.crt Yes
openshift-kube-controller-manager localhost-recovery-client-token-2 secret Opaque ca.crt Yes
openshift-kube-controller-manager localhost-recovery-client-token-3 secret Opaque ca.crt Yes
openshift-kube-controller-manager localhost-recovery-client-token-4 secret Opaque ca.crt Yes
openshift-kube-controller-manager localhost-recovery-client-token-4 secret Opaque service-ca.crt Yes
openshift-kube-controller-manager localhost-recovery-client-token-5 secret Opaque ca.crt Yes
openshift-kube-controller-manager localhost-recovery-client-token-5 secret Opaque service-ca.crt Yes
openshift-kube-controller-manager serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-kube-controller-manager serving-cert-1 secret kubernetes.io/tls tls.crt Yes
openshift-kube-controller-manager serving-cert-2 secret kubernetes.io/tls tls.crt Yes
openshift-kube-controller-manager serving-cert-3 secret kubernetes.io/tls tls.crt Yes
openshift-kube-controller-manager serving-cert-4 secret kubernetes.io/tls tls.crt Yes
openshift-kube-controller-manager serving-cert-5 secret kubernetes.io/tls tls.crt Yes
openshift-kube-controller-manager aggregator-client-ca configmap N/A ca-bundle.crt Yes
openshift-kube-controller-manager client-ca configmap N/A ca-bundle.crt Yes
openshift-kube-controller-manager kube-root-ca.crt configmap N/A ca.crt Yes
openshift-kube-controller-manager openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-kube-controller-manager service-ca configmap N/A ca-bundle.crt Yes
openshift-kube-controller-manager service-ca-1 configmap N/A ca-bundle.crt Yes
openshift-kube-controller-manager service-ca-2 configmap N/A ca-bundle.crt Yes
openshift-kube-controller-manager service-ca-3 configmap N/A ca-bundle.crt Yes
openshift-kube-controller-manager service-ca-4 configmap N/A ca-bundle.crt Yes
openshift-kube-controller-manager service-ca-5 configmap N/A ca-bundle.crt Yes
openshift-kube-controller-manager serviceaccount-ca configmap N/A ca-bundle.crt Yes
openshift-kube-controller-manager serviceaccount-ca-2 configmap N/A ca-bundle.crt Yes
openshift-kube-controller-manager serviceaccount-ca-3 configmap N/A ca-bundle.crt Yes
openshift-kube-controller-manager serviceaccount-ca-4 configmap N/A ca-bundle.crt Yes
openshift-kube-controller-manager serviceaccount-ca-5 configmap N/A ca-bundle.crt Yes
openshift-kube-controller-manager-operator csr-signer secret kubernetes.io/tls tls.crt Yes
openshift-kube-controller-manager-operator csr-signer-signer secret kubernetes.io/tls tls.crt Yes
openshift-kube-controller-manager-operator kube-controller-manager-operator-serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-kube-controller-manager-operator csr-controller-ca configmap N/A ca-bundle.crt Yes
openshift-kube-controller-manager-operator csr-controller-signer-ca configmap N/A ca-bundle.crt Yes
openshift-kube-controller-manager-operator csr-signer-ca configmap N/A ca-bundle.crt Yes
openshift-kube-controller-manager-operator kube-root-ca.crt configmap N/A ca.crt Yes
openshift-kube-controller-manager-operator openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-kube-scheduler kube-scheduler-client-cert-key secret kubernetes.io/tls tls.crt Yes
openshift-kube-scheduler localhost-recovery-client-token secret kubernetes.io/service-account-token ca.crt Yes
openshift-kube-scheduler localhost-recovery-client-token secret kubernetes.io/service-account-token service-ca.crt Yes
openshift-kube-scheduler localhost-recovery-client-token-1 secret Opaque ca.crt Yes
openshift-kube-scheduler localhost-recovery-client-token-2 secret Opaque ca.crt Yes
openshift-kube-scheduler localhost-recovery-client-token-3 secret Opaque ca.crt Yes
openshift-kube-scheduler localhost-recovery-client-token-4 secret Opaque ca.crt Yes
openshift-kube-scheduler localhost-recovery-client-token-4 secret Opaque service-ca.crt Yes
openshift-kube-scheduler serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-kube-scheduler serving-cert-1 secret kubernetes.io/tls tls.crt Yes
openshift-kube-scheduler serving-cert-2 secret kubernetes.io/tls tls.crt Yes
openshift-kube-scheduler serving-cert-3 secret kubernetes.io/tls tls.crt Yes
openshift-kube-scheduler serving-cert-4 secret kubernetes.io/tls tls.crt Yes
openshift-kube-scheduler kube-root-ca.crt configmap N/A ca.crt Yes
openshift-kube-scheduler openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-kube-scheduler serviceaccount-ca configmap N/A ca-bundle.crt Yes
openshift-kube-scheduler serviceaccount-ca-2 configmap N/A ca-bundle.crt Yes
openshift-kube-scheduler serviceaccount-ca-3 configmap N/A ca-bundle.crt Yes
openshift-kube-scheduler serviceaccount-ca-4 configmap N/A ca-bundle.crt Yes
openshift-kube-scheduler-operator kube-scheduler-operator-serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-kube-scheduler-operator kube-root-ca.crt configmap N/A ca.crt Yes
openshift-kube-scheduler-operator openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-kube-storage-version-migrator kube-root-ca.crt configmap N/A ca.crt Yes
openshift-kube-storage-version-migrator openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-kube-storage-version-migrator-operator serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-kube-storage-version-migrator-operator kube-root-ca.crt configmap N/A ca.crt Yes
openshift-kube-storage-version-migrator-operator openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-machine-api baremetal-operator-webhook-server-cert secret kubernetes.io/tls tls.crt Yes
openshift-machine-api cluster-autoscaler-operator-cert secret kubernetes.io/tls tls.crt Yes
openshift-machine-api cluster-baremetal-operator-tls secret kubernetes.io/tls tls.crt Yes
openshift-machine-api cluster-baremetal-webhook-server-cert secret kubernetes.io/tls tls.crt Yes
openshift-machine-api control-plane-machine-set-operator-tls secret kubernetes.io/tls tls.crt Yes
openshift-machine-api machine-api-controllers-tls secret kubernetes.io/tls tls.crt Yes
openshift-machine-api machine-api-operator-machine-webhook-cert secret kubernetes.io/tls tls.crt Yes
openshift-machine-api machine-api-operator-tls secret kubernetes.io/tls tls.crt Yes
openshift-machine-api machine-api-operator-webhook-cert secret kubernetes.io/tls tls.crt Yes
openshift-machine-api metal3-ironic-tls secret Opaque tls.crt Yes
openshift-machine-api kube-root-ca.crt configmap N/A ca.crt Yes
openshift-machine-api openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-machine-config-operator machine-config-server-tls secret Opaque tls.crt Yes
openshift-machine-config-operator mcc-proxy-tls secret kubernetes.io/tls tls.crt Yes
openshift-machine-config-operator mco-proxy-tls secret kubernetes.io/tls tls.crt Yes
openshift-machine-config-operator node-bootstrapper-token secret kubernetes.io/service-account-token ca.crt Yes
openshift-machine-config-operator node-bootstrapper-token secret kubernetes.io/service-account-token service-ca.crt Yes
openshift-machine-config-operator proxy-tls secret kubernetes.io/tls tls.crt Yes
openshift-machine-config-operator kube-root-ca.crt configmap N/A ca.crt Yes
openshift-machine-config-operator openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-marketplace marketplace-operator-metrics secret kubernetes.io/tls tls.crt Yes
openshift-marketplace kube-root-ca.crt configmap N/A ca.crt Yes
openshift-marketplace openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-monitoring alertmanager-main-tls secret kubernetes.io/tls tls.crt Yes
openshift-monitoring cluster-monitoring-operator-tls secret kubernetes.io/tls tls.crt Yes
openshift-monitoring federate-client-certs secret Opaque tls.crt Yes
openshift-monitoring grpc-tls secret Opaque ca.crt Yes
openshift-monitoring grpc-tls secret Opaque prometheus-server.crt Yes
openshift-monitoring grpc-tls secret Opaque thanos-querier-client.crt Yes
openshift-monitoring kube-state-metrics-tls secret kubernetes.io/tls tls.crt Yes
openshift-monitoring metrics-client-certs secret Opaque tls.crt Yes
openshift-monitoring metrics-server-27h06ve19b34m secret Opaque client-ca-file Yes
openshift-monitoring metrics-server-27h06ve19b34m secret Opaque requestheader-client-ca-file Yes
openshift-monitoring metrics-server-27h06ve19b34m secret Opaque tls.crt Yes
openshift-monitoring metrics-server-tls secret kubernetes.io/tls tls.crt Yes
openshift-monitoring monitoring-plugin-cert secret kubernetes.io/tls tls.crt Yes
openshift-monitoring node-exporter-tls secret kubernetes.io/tls tls.crt Yes
openshift-monitoring openshift-state-metrics-tls secret kubernetes.io/tls tls.crt Yes
openshift-monitoring prometheus-k8s-grpc-tls-ai1pjcpq5svdd secret Opaque ca.crt Yes
openshift-monitoring prometheus-k8s-grpc-tls-ai1pjcpq5svdd secret Opaque server.crt Yes
openshift-monitoring prometheus-k8s-thanos-sidecar-tls secret kubernetes.io/tls tls.crt Yes
openshift-monitoring prometheus-k8s-tls secret kubernetes.io/tls tls.crt Yes
openshift-monitoring prometheus-k8s-tls-assets-0 secret Opaque 0_openshift-etcd-operator_etcd-metric-client_tls.crt Yes
openshift-monitoring prometheus-k8s-tls-assets-0 secret Opaque 1_openshift-etcd-operator_etcd-metric-serving-ca_ca-bundle.crt Yes
openshift-monitoring prometheus-operator-admission-webhook-tls secret kubernetes.io/tls tls.crt Yes
openshift-monitoring prometheus-operator-tls secret kubernetes.io/tls tls.crt Yes
openshift-monitoring telemeter-client-tls secret kubernetes.io/tls tls.crt Yes
openshift-monitoring thanos-querier-grpc-tls-2lj4ol37s9vin secret Opaque ca.crt Yes
openshift-monitoring thanos-querier-grpc-tls-2lj4ol37s9vin secret Opaque client.crt Yes
openshift-monitoring thanos-querier-tls secret kubernetes.io/tls tls.crt Yes
openshift-monitoring kube-root-ca.crt configmap N/A ca.crt Yes
openshift-monitoring kubelet-serving-ca-bundle configmap N/A ca-bundle.crt Yes
openshift-monitoring metrics-client-ca configmap N/A client-ca.crt Yes
openshift-monitoring openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-monitoring serving-certs-ca-bundle configmap N/A service-ca.crt Yes
openshift-monitoring telemeter-client-serving-certs-ca-bundle configmap N/A service-ca.crt Yes
openshift-multus metrics-daemon-secret secret kubernetes.io/tls tls.crt Yes
openshift-multus multus-admission-controller-secret secret kubernetes.io/tls tls.crt Yes
openshift-multus kube-root-ca.crt configmap N/A ca.crt Yes
openshift-multus openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-network-console networking-console-plugin-cert secret kubernetes.io/tls tls.crt Yes
openshift-network-console kube-root-ca.crt configmap N/A ca.crt Yes
openshift-network-console openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-network-diagnostics kube-root-ca.crt configmap N/A ca.crt Yes
openshift-network-diagnostics openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-network-node-identity network-node-identity-ca secret kubernetes.io/tls tls.crt Yes
openshift-network-node-identity network-node-identity-cert secret kubernetes.io/tls tls.crt Yes
openshift-network-node-identity kube-root-ca.crt configmap N/A ca.crt Yes
openshift-network-node-identity network-node-identity-ca configmap N/A ca-bundle.crt Yes
openshift-network-node-identity openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-network-operator metrics-tls secret kubernetes.io/tls tls.crt Yes
openshift-network-operator kube-root-ca.crt configmap N/A ca.crt Yes
openshift-network-operator openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-nfd node-feature-discovery-operator-tls secret kubernetes.io/tls tls.crt Yes
openshift-nfd kube-root-ca.crt configmap N/A ca.crt Yes
openshift-nfd openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-node kube-root-ca.crt configmap N/A ca.crt Yes
openshift-node openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-nutanix-infra kube-root-ca.crt configmap N/A ca.crt Yes
openshift-nutanix-infra openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-oauth-apiserver etcd-client secret kubernetes.io/tls tls.crt Yes
openshift-oauth-apiserver openshift-authenticator-certs secret Opaque tls.crt Yes
openshift-oauth-apiserver serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-oauth-apiserver etcd-serving-ca configmap N/A ca-bundle.crt Yes
openshift-oauth-apiserver kube-root-ca.crt configmap N/A ca.crt Yes
openshift-oauth-apiserver openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-openstack-infra kube-root-ca.crt configmap N/A ca.crt Yes
openshift-openstack-infra openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-operator-controller kube-root-ca.crt configmap N/A ca.crt Yes
openshift-operator-controller openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-operator-lifecycle-manager catalog-operator-serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-operator-lifecycle-manager olm-operator-serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-operator-lifecycle-manager package-server-manager-serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-operator-lifecycle-manager packageserver-service-cert secret kubernetes.io/tls olmCAKey Yes
openshift-operator-lifecycle-manager packageserver-service-cert secret kubernetes.io/tls tls.crt Yes
openshift-operator-lifecycle-manager pprof-cert secret kubernetes.io/tls tls.crt Yes
openshift-operator-lifecycle-manager kube-root-ca.crt configmap N/A ca.crt Yes
openshift-operator-lifecycle-manager openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-operators kube-root-ca.crt configmap N/A ca.crt Yes
openshift-operators openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-ovirt-infra kube-root-ca.crt configmap N/A ca.crt Yes
openshift-ovirt-infra openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-ovn-kubernetes ovn-ca secret kubernetes.io/tls tls.crt Yes
openshift-ovn-kubernetes ovn-cert secret kubernetes.io/tls tls.crt Yes
openshift-ovn-kubernetes ovn-control-plane-metrics-cert secret kubernetes.io/tls tls.crt Yes
openshift-ovn-kubernetes ovn-node-metrics-cert secret kubernetes.io/tls tls.crt Yes
openshift-ovn-kubernetes signer-ca secret kubernetes.io/tls tls.crt Yes
openshift-ovn-kubernetes signer-cert secret kubernetes.io/tls tls.crt Yes
openshift-ovn-kubernetes kube-root-ca.crt configmap N/A ca.crt Yes
openshift-ovn-kubernetes openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-ovn-kubernetes ovn-ca configmap N/A ca-bundle.crt Yes
openshift-ovn-kubernetes signer-ca configmap N/A ca-bundle.crt Yes
openshift-route-controller-manager serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-route-controller-manager client-ca configmap N/A ca-bundle.crt Yes
openshift-route-controller-manager kube-root-ca.crt configmap N/A ca.crt Yes
openshift-route-controller-manager openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-service-ca signing-key secret kubernetes.io/tls tls.crt Yes
openshift-service-ca kube-root-ca.crt configmap N/A ca.crt Yes
openshift-service-ca openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-service-ca signing-cabundle configmap N/A ca-bundle.crt Yes
openshift-service-ca-operator serving-cert secret kubernetes.io/tls tls.crt Yes
openshift-service-ca-operator kube-root-ca.crt configmap N/A ca.crt Yes
openshift-service-ca-operator openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-user-workload-monitoring kube-root-ca.crt configmap N/A ca.crt Yes
openshift-user-workload-monitoring openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-virtualization-os-images kube-root-ca.crt configmap N/A ca.crt Yes
openshift-virtualization-os-images openshift-service-ca.crt configmap N/A service-ca.crt Yes
openshift-vsphere-infra kube-root-ca.crt configmap N/A ca.crt Yes
openshift-vsphere-infra openshift-service-ca.crt configmap N/A service-ca.crt Yes
===========================================================================================================================================
Scan complete.4. Conclusion
This script serves as an essential auditing tool for OpenShift administrators. By systematically identifying all TLS certificates, including those in Opaque Secrets, it empowers teams to:
- Build a Comprehensive Certificate Inventory: Gain full visibility into every TLS certificate used across the cluster.
- Prevent Certificate-Related Outages: Proactively identify certificates that need to be renewed before they expire.
- Strengthen Security Posture: Ensure that all certificates adhere to organizational security policies and can be quickly replaced if compromised.
Regularly running this script is a recommended best practice for maintaining the health, stability, and security of an OpenShift Container Platform environment.