Install cert-manager to Openshift

Page content

cert-manager is a service that automatically creates certificate requests and sign certificate based on annotations. The created certificate will be stored in a secret.

Parts of the Openshift series

Normally in kubernetes you can use a secret for TLS in an ingress cinfiguration but in Openshift there is no way to get the certificate from a secret for a route. So we will use cert-utils-operator for recreating routs with the propriety certificate based on annotations.

Install cert-managger

oc create namespace cert-manager
oc apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.15.1/cert-manager-legacy.yaml

Create ClusterIssuer to create certs. For this demo I will use a Self-signed root CA, what is trustin in my browser. cert-manager can handle Let’s encrypt as an issuer both with http and dns challenges so yu can use Let’s encrypt certs in a private network without publication your route.

nano issuer.yaml
---
apiVersion: v1
data:
  tls.crt: LS0tLS1C...
  tls.key: LS0tLSGF...
kind: Secret
metadata:
  name: ca-key-pair
  namespace: cert-manager
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: ca-issuer
  namespace: cert-manager
spec:
  ca:
    secretName: ca-key-pair

Install cert-utils-operator

I usethe v0.1.0 and not the latest one (at the moment v0.1.1) besause athe v0.1.1 has a bug on OKD 3.11:

helm repo add cert-utils-operator https://redhat-cop.github.io/cert-utils-operator
helm update
# export CERT_UTILS_CHART_VERSION=$(helm search cert-utils-operator/cert-utils-operator | grep cert-utils-operator/cert-utils-operator | awk '{print $2}')

helm fetch cert-utils-operator/cert-utils-operator --version v0.1.0
helm template cert-utils-operator-v0.1.0.tgz --namespace cert-manager | oc apply -f - -n cert-manager
apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
metadata:
  annotations:
    openshift.io/generated-by: OpenShiftWebConsole
  labels:
    app: nginx2
  name: nginx2
spec:
  replicas: 1
  selector:
    app: nginx2
    deploymentconfig: nginx2
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: nginx2
        deploymentconfig: nginx2
    spec:
      containers:
        - image: >-
            bitnami/nginx@sha256:2bff7d085671a8b0f9ec296cf57fba995d06c1b5fb350575dd429c361520f0a4
          imagePullPolicy: Always
          name: nginx2
          ports:
            - containerPort: 8080
              protocol: TCP
            - containerPort: 8443
              protocol: TCP
          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
  test: false
---
apiVersion: v1
kind: Service
metadata:
  annotations:
    openshift.io/generated-by: OpenShiftWebConsole
  labels:
    app: nginx2
  name: nginx2
spec:
  clusterIP: 172.30.17.64
  ports:
    - name: 8080-tcp
      port: 8080
      protocol: TCP
      targetPort: 8080
    - name: 8443-tcp
      port: 8443
      protocol: TCP
      targetPort: 8443
  selector:
    deploymentconfig: nginx2
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: nginx2-route-tls
  namespace: default
spec:
  secretName: nginx2-route-tls
  duration: 24h
  renewBefore: 12h
  commonName: nginx.openshift.mydomain.intra
  dnsNames:
  - nginx.openshift.mydomain.intra
  issuerRef:
    name: ca-issuer
    kind: ClusterIssuer
    group: cert-manager.io
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  annotations:
    cert-utils-operator.redhat-cop.io/certs-from-secret=nginx2-route-tls
  labels:
    app: nginx2
  name: nginx2
spec:
  host: nginx.openshift.mydomain.intra
  port:
    targetPort: 8080-tcp
  tls:
    insecureEdgeTerminationPolicy: Redirect
    termination: edge
  to:
    kind: Service
    name: nginx2
    weight: 100
  wildcardPolicy: None

---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  annotations:
    cert-utils-operator.redhat-cop.io/certs-from-secret: nginx2-route-tls
  labels:
    app: nginx2
  name: nginx2
spec:
  host: nginx.openshift.mydomain.intra
  port:
    targetPort: 8080-tcp
  tls:
    insecureEdgeTerminationPolicy: Redirect
    termination: edge
  to:
    kind: Service
    name: nginx2
    weight: 100
  wildcardPolicy: None