Install cert-manager to Openshift
cert-manager
is a service that automatically creates certificate requests and sign certificate based on annotations. The created certificate will be stored in a secret.
Parts of the Openshift series
- Part1: Install Opeshift
- Part2: How to Enable Auto Approval of CSR in Openshift v3.11
- Part3: Add new workers to Openshift cluster
- Part4: Chane the certificates of the Openshift cluster
- Part5: LDAP authentication for Openshift
- Part6: Keycloak SSO authentication for Openshift
- Part7: Gitlab SSO authentication for Openshift
- Part8a: Ceph persistent storage for Openshift
- Part8b: vSphere persistent storage for Openshift
- Part9: Helm on Openshift
- Part10: Tillerless Helm on Openshift
- Part11: Use external docker registry on Openshift
- Part12: Secondary router on Openshift
- Part13a: Use Letsencrypt on Openshift
- Part13b: Install cert-managger on Openshift
- Part14: Create Openshift operators
- Part15: Convert docker-compose file to Opeshift
- Part16a: Opeshift elasticsearch search-guard error
- Part16b: Openshift: Log4Shell - Remote Code Execution (CVE-2021-44228) (CVE-2021-4104)
Normally in kubernetes you can use a secret for TLS in an ingress cinfiguration but in Openshift there is no way to get the certificate from a secret for a route. So we will use cert-utils-operator
for recreating routs with the propriety certificate based on annotations.
Install cert-managger
oc create namespace cert-manager
oc apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.15.1/cert-manager-legacy.yaml
Create ClusterIssuer
to create certs. For this demo I will use a Self-signed root CA, what is trustin in my browser. cert-manager
can handle Let’s encrypt as an issuer both with http and dns challenges so yu can use Let’s encrypt certs in a private network without publication your route.
nano issuer.yaml
---
apiVersion: v1
data:
tls.crt: LS0tLS1C...
tls.key: LS0tLSGF...
kind: Secret
metadata:
name: ca-key-pair
namespace: cert-manager
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: ca-issuer
namespace: cert-manager
spec:
ca:
secretName: ca-key-pair
Install cert-utils-operator
I usethe v0.1.0 and not the latest one (at the moment v0.1.1) besause athe v0.1.1 has a bug on OKD 3.11:
helm repo add cert-utils-operator https://redhat-cop.github.io/cert-utils-operator
helm update
# export CERT_UTILS_CHART_VERSION=$(helm search cert-utils-operator/cert-utils-operator | grep cert-utils-operator/cert-utils-operator | awk '{print $2}')
helm fetch cert-utils-operator/cert-utils-operator --version v0.1.0
helm template cert-utils-operator-v0.1.0.tgz --namespace cert-manager | oc apply -f - -n cert-manager
apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
metadata:
annotations:
openshift.io/generated-by: OpenShiftWebConsole
labels:
app: nginx2
name: nginx2
spec:
replicas: 1
selector:
app: nginx2
deploymentconfig: nginx2
template:
metadata:
creationTimestamp: null
labels:
app: nginx2
deploymentconfig: nginx2
spec:
containers:
- image: >-
bitnami/nginx@sha256:2bff7d085671a8b0f9ec296cf57fba995d06c1b5fb350575dd429c361520f0a4
imagePullPolicy: Always
name: nginx2
ports:
- containerPort: 8080
protocol: TCP
- containerPort: 8443
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
test: false
---
apiVersion: v1
kind: Service
metadata:
annotations:
openshift.io/generated-by: OpenShiftWebConsole
labels:
app: nginx2
name: nginx2
spec:
clusterIP: 172.30.17.64
ports:
- name: 8080-tcp
port: 8080
protocol: TCP
targetPort: 8080
- name: 8443-tcp
port: 8443
protocol: TCP
targetPort: 8443
selector:
deploymentconfig: nginx2
sessionAffinity: None
type: ClusterIP
status:
loadBalancer: {}
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: nginx2-route-tls
namespace: default
spec:
secretName: nginx2-route-tls
duration: 24h
renewBefore: 12h
commonName: nginx.openshift.mydomain.intra
dnsNames:
- nginx.openshift.mydomain.intra
issuerRef:
name: ca-issuer
kind: ClusterIssuer
group: cert-manager.io
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
annotations:
cert-utils-operator.redhat-cop.io/certs-from-secret=nginx2-route-tls
labels:
app: nginx2
name: nginx2
spec:
host: nginx.openshift.mydomain.intra
port:
targetPort: 8080-tcp
tls:
insecureEdgeTerminationPolicy: Redirect
termination: edge
to:
kind: Service
name: nginx2
weight: 100
wildcardPolicy: None
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
annotations:
cert-utils-operator.redhat-cop.io/certs-from-secret: nginx2-route-tls
labels:
app: nginx2
name: nginx2
spec:
host: nginx.openshift.mydomain.intra
port:
targetPort: 8080-tcp
tls:
insecureEdgeTerminationPolicy: Redirect
termination: edge
to:
kind: Service
name: nginx2
weight: 100
wildcardPolicy: None