Use FreeIPA subCa to be the Kubernetes cluster external CA

[Tcharl]

Describe the Enhancement:

As expressed in the Kube PKI documentation, an external CA can be used instead of the kubeadm-generated one. This would help to integrate FreeIPA and Kube better, the ultimate goal being to have cluster admins and developpers authenticated via FreeIPA-generated certificates containing their Kubernetes roles in the 'O' section

Describe the Need:

Enhance security

Current Alternative

Using certs generated by Kubernetes CA, but it is not related to freeipa at all

[Tcharl]

End user reverse proxy: freeipa to generate kube admins/ops certificates, no additionnal CA to download but the frreipa one from an end user perspective Technical Added value: apiserver to be protected by reverse proxy instead of firewalld rule.