Change Certificates in Openshift
Page content
In this post I will show you how can you chnage certificate in Openshift.
Parts of the Openshift series
- Part1: Install Opeshift
- Part2: How to Enable Auto Approval of CSR in Openshift v3.11
- Part3: Add new workers to Openshift cluster
- Part4: Chane the certificates of the Openshift cluster
- Part5: LDAP authentication for Openshift
- Part6: Keycloak SSO authentication for Openshift
- Part7: Gitlab SSO authentication for Openshift
- Part8a: Ceph persistent storage for Openshift
- Part8b: vSphere persistent storage for Openshift
- Part9: Helm on Openshift
- Part10: Tillerless Helm on Openshift
- Part11: Use external docker registry on Openshift
- Part12: Secondary router on Openshift
- Part13a: Use Letsencrypt on Openshift
- Part13b: Install cert-managger on Openshift
- Part14: Create Openshift operators
- Part15: Convert docker-compose file to Opeshift
- Part16a: Opeshift elasticsearch search-guard error
- Part16b: Openshift: Log4Shell - Remote Code Execution (CVE-2021-44228) (CVE-2021-4104)
Configure certs:
If you want to configure your Openshift cluster to use your own certificate you can do that wit this configuration. In my case the certificate files is MyCert.crt MyCert.key and the root CA is ccca.pem.
nano /ec/ansible/hosts
openshift_master_overwrite_named_certificates=true
openshift_hosted_router_certificate={"certfile": "/root/cert/MyCert.crt", "keyfile": "/root/cert/MyCert.key", "cafile": "/root/cert/ccca.pem"}
openshift_master_named_certificates=[{"names": ["master.openshit.devopstales.intra"],"certfile": "/root/cert/MyCert.crt", "keyfile": "/root/cert/MyCert.key", "cafile": "/root/cert/ccca.pem"}]
openshift_redeploy_openshift_ca=true
openshift_certificate_expiry_fail_on_warn=false
# registry
openshift_hosted_registry_routecertificates={"certfile": "/root/cert/MyCert.crt", "keyfile": "/root/cert/MyCert.key", "cafile": "/root/cert/ccca.pem"}
openshift_hosted_registry_routetermination=reencrypt
Run the Installer
If your certificate is renewd you can cahge the certificate in the cluster with this playbooks.
oc get csr | grep Pending | awk '{print $1}' | xargs oc adm certificate approve
ansible-playbook -i hosts /usr/share/ansible/openshift-ansible/playbooks/redeploy-certificates.yml
ansible-playbook -i hosts /usr/share/ansible/openshift-ansible/playbooks/openshift-master/redeploy-openshift-ca.yml
ansible-playbook -i hosts /usr/share/ansible/openshift-ansible/playbooks/openshift-etcd/redeploy-ca.yml
