Install cert-manager to Openshift

cert-manager is a service that automatically creates certificate requests and sign certificate based on annotations. The created certificate will be stored in a secret.

Parts of the Openshift series

• Part1: Install Opeshift
• Part2: How to Enable Auto Approval of CSR in Openshift v3.11
• Part3: Add new workers to Openshift cluster
• Part4: Chane the certificates of the Openshift cluster
• Part5: LDAP authentication for Openshift
• Part6: Keycloak SSO authentication for Openshift
• Part7: Gitlab SSO authentication for Openshift
• Part8a: Ceph persistent storage for Openshift
• Part8b: vSphere persistent storage for Openshift
• Part9: Helm on Openshift
• Part10: Tillerless Helm on Openshift
• Part11: Use external docker registry on Openshift
• Part12: Secondary router on Openshift
• Part13a: Use Letsencrypt on Openshift
• Part13b: Install cert-managger on Openshift
• Part14: Create Openshift operators
• Part15: Convert docker-compose file to Opeshift
• Part16a: Opeshift elasticsearch search-guard error
• Part16b: Openshift: Log4Shell - Remote Code Execution (CVE-2021-44228) (CVE-2021-4104)

Normally in kubernetes you can use a secret for TLS in an ingress cinfiguration but in Openshift there is no way to get the certificate from a secret for a route. So we will use cert-utils-operator for recreating routs with the propriety certificate based on annotations.

Install cert-managger

oc create namespace cert-manager
oc apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.15.1/cert-manager-legacy.yaml

Create ClusterIssuer to create certs. For this demo I will use a Self-signed root CA, what is trustin in my browser. cert-manager can handle Let’s encrypt as an issuer both with http and dns challenges so yu can use Let’s encrypt certs in a private network without publication your route.

nano issuer.yaml
---
apiVersion: v1
data:
  tls.crt: LS0tLS1C...
  tls.key: LS0tLSGF...
kind: Secret
metadata:
  name: ca-key-pair
  namespace: cert-manager
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: ca-issuer
  namespace: cert-manager
spec:
  ca:
    secretName: ca-key-pair

Install cert-utils-operator

I usethe v0.1.0 and not the latest one (at the moment v0.1.1) besause athe v0.1.1 has a bug on OKD 3.11:

• https://github.com/redhat-cop/cert-utils-operator/issues/51

helm repo add cert-utils-operator https://redhat-cop.github.io/cert-utils-operator
helm update
# export CERT_UTILS_CHART_VERSION=$(helm search cert-utils-operator/cert-utils-operator | grep cert-utils-operator/cert-utils-operator | awk '{print $2}')

helm fetch cert-utils-operator/cert-utils-operator --version v0.1.0
helm template cert-utils-operator-v0.1.0.tgz --namespace cert-manager | oc apply -f - -n cert-manager

apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
metadata:
  annotations:
    openshift.io/generated-by: OpenShiftWebConsole
  labels:
    app: nginx2
  name: nginx2
spec:
  replicas: 1
  selector:
    app: nginx2
    deploymentconfig: nginx2
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: nginx2
        deploymentconfig: nginx2
    spec:
      containers:
        - image: >-
            bitnami/nginx@sha256:2bff7d085671a8b0f9ec296cf57fba995d06c1b5fb350575dd429c361520f0a4
          imagePullPolicy: Always
          name: nginx2
          ports:
            - containerPort: 8080
              protocol: TCP
            - containerPort: 8443
              protocol: TCP
          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
  test: false
---
apiVersion: v1
kind: Service
metadata:
  annotations:
    openshift.io/generated-by: OpenShiftWebConsole
  labels:
    app: nginx2
  name: nginx2
spec:
  clusterIP: 172.30.17.64
  ports:
    - name: 8080-tcp
      port: 8080
      protocol: TCP
      targetPort: 8080
    - name: 8443-tcp
      port: 8443
      protocol: TCP
      targetPort: 8443
  selector:
    deploymentconfig: nginx2
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: nginx2-route-tls
  namespace: default
spec:
  secretName: nginx2-route-tls
  duration: 24h
  renewBefore: 12h
  commonName: nginx.openshift.mydomain.intra
  dnsNames:
  - nginx.openshift.mydomain.intra
  issuerRef:
    name: ca-issuer
    kind: ClusterIssuer
    group: cert-manager.io
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  annotations:
    cert-utils-operator.redhat-cop.io/certs-from-secret=nginx2-route-tls
  labels:
    app: nginx2
  name: nginx2
spec:
  host: nginx.openshift.mydomain.intra
  port:
    targetPort: 8080-tcp
  tls:
    insecureEdgeTerminationPolicy: Redirect
    termination: edge
  to:
    kind: Service
    name: nginx2
    weight: 100
  wildcardPolicy: None

---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  annotations:
    cert-utils-operator.redhat-cop.io/certs-from-secret: nginx2-route-tls
  labels:
    app: nginx2
  name: nginx2
spec:
  host: nginx.openshift.mydomain.intra
  port:
    targetPort: 8080-tcp
  tls:
    insecureEdgeTerminationPolicy: Redirect
    termination: edge
  to:
    kind: Service
    name: nginx2
    weight: 100
  wildcardPolicy: None