Openshift Letsencrypt certificates
Page content
Thanks to Tomáš Nožička developed openshift-acme as an ACME Controller for OpenShift and Kubernetes clusters. It automatically provision certficates
Parts of the Openshift series
- Part1: Install Opeshift
- Part2: How to Enable Auto Approval of CSR in Openshift v3.11
- Part3: Add new workers to Openshift cluster
- Part4: Chane the certificates of the Openshift cluster
- Part5: LDAP authentication for Openshift
- Part6: Keycloak SSO authentication for Openshift
- Part7: Gitlab SSO authentication for Openshift
- Part8a: Ceph persistent storage for Openshift
- Part8b: vSphere persistent storage for Openshift
- Part9: Helm on Openshift
- Part10: Tillerless Helm on Openshift
- Part11: Use external docker registry on Openshift
- Part12: Secondary router on Openshift
- Part13a: Use Letsencrypt on Openshift
- Part13b: Install cert-managger on Openshift
- Part14: Create Openshift operators
- Part15: Convert docker-compose file to Opeshift
- Part16a: Opeshift elasticsearch search-guard error
- Part16b: Openshift: Log4Shell - Remote Code Execution (CVE-2021-44228) (CVE-2021-4104)
Environment
192.168.1.40 deployer
192.168.1.41 openshift01 # master node
192.168.1.42 openshift02 # infra node
192.168.1.43 openshift03 # worker node
Deploy route
oc project default
oc label node openshift02.devopstales.intra "router=letsencrypt"
oc get node --show-labels
oc adm policy add-scc-to-user hostnetwork -z router
oc adm router router-letsencrypt --replicas=0 --ports="8080:8080,8443:8443" --stats-port=1937 --selector="router=letsencrypt" --labels="router=letsencrypt"
oc set env dc/router-letsencrypt \
NAMESPACE_LABELS="router=letsencrypt" \
ROUTER_ALLOW_WILDCARD_ROUTES=true \
ROUTER_SERVICE_HTTP_PORT=8080 \
ROUTER_SERVICE_HTTPS_PORT=8443 \
ROUTER_TCP_BALANCE_SCHEME=roundrobin
oc set env dc/router NAMESPACE_LABELS="router != letsencrypt"
oc scale dc/router-letsencrypt --replicas=3
Deploy letsencrypt
GIT_REPO=https://raw.githubusercontent.com/devopstales/openshift-examples
GIT_PATH=/master/letsencrypt
oc new-project letsencrypt
oc create -f$GIT_REPO/$GIT_PATH/{clusterrole,serviceaccount,imagestream,deployment}.yaml
oc adm policy add-cluster-role-to-user openshift-acme -z openshift-acme
Demo
oc new-project test
oc label namespace test router=letsencrypt
oc new-app centos/ruby-25-centos7~https://github.com/sclorg/ruby-ex.git
oc expose svc/ruby-ex
oc patch route ruby-ex \
-p '{"metadata":{"annotations":{ "kubernetes.io/tls-acme" : "true" }}}'