OKD 4.4 Custom Letsencrypt certificate
Credits: https://www.openshift.com/blog/requesting-and-installing-lets-encrypt-certificates-for-openshift-4
Prerequisites
Create AWS credentials as described in the previous article. Replace the values accordingly.
$ cat << EOF > aws.credentials
#!/bin/bash
export AWS_ACCESS_KEY_ID=REPLACE_AWSACCESSKEYID
export AWS_SECRET_ACCESS_KEY=REPLACE_AWSSECRETACCESSKEY
EOF
$ source aws.credentials
$
Make sure you are logged in to the cluster.
$ export KUBECONFIG=${PWD}/config/auth/kubeconfig
$ oc get node
NAME STATUS ROLES AGE VERSION
ip-10-0-128-29.eu-west-1.compute.internal Ready worker 68m v1.17.1
ip-10-0-140-213.eu-west-1.compute.internal Ready master 78m v1.17.1
ip-10-0-149-203.eu-west-1.compute.internal Ready master 77m v1.17.1
ip-10-0-150-180.eu-west-1.compute.internal Ready worker 68m v1.17.1
ip-10-0-169-24.eu-west-1.compute.internal Ready worker 68m v1.17.1
ip-10-0-175-121.eu-west-1.compute.internal Ready master 78m v1.17.1
$ oc whoami
system:admin
$
Clone acme.sh github repo.
$ git clone https://github.com/neilpang/acme.sh
Set LE_API and LE_WILDCARD variables to values of api fqdn and wildcard
domain.
$ export LE_API=$(oc whoami --show-server | cut -f 2 -d ':' | cut -f 3 -d '/' | sed 's/-api././')
$ export LE_WILDCARD=$(oc get ingresscontroller default -n openshift-ingress-operator -o jsonpath='{.status.domain}')
$ env | grep LE_
LE_API=api.demo.okd.agolis.xyz
LE_WILDCARD=apps.demo.okd.agolis.xyz
$
Request and install certificates
Request certificates.
$ ./acme.sh/acme.sh --issue -d ${LE_API} -d \*.${LE_WILDCARD} --dns dns_aws
...snip...
[Mon Jun 15 14:01:07 CEST 2020] Your cert is in ~/.acme.sh/api.demo.okd.agolis.xyz/api.demo.okd.agolis.xyz.cer
[Mon Jun 15 14:01:07 CEST 2020] Your cert key is in ~/.acme.sh/api.demo.okd.agolis.xyz/api.demo.okd.agolis.xyz.key
[Mon Jun 15 14:01:07 CEST 2020] The intermediate CA cert is in ~/.acme.sh/api.demo.okd.agolis.xyz/ca.cer
[Mon Jun 15 14:01:07 CEST 2020] And the full chain certs is there: ~/.acme.sh/api.demo.okd.agolis.xyz/fullchain.cer
$
Save them into the working directory.
$ export CERTDIR=./certificates
$ mkdir -p ${CERTDIR}
$ ./acme.sh/acme.sh --install-cert -d ${LE_API} -d \*.${LE_WILDCARD} --cert-file ${CERTDIR}/cert.pem --key-file ${CERTDIR}/key.pem --fullchain-file ${CERTDIR}/fullchain.pem --ca-file ${CERTDIR}/ca.cer
[Mon Jun 15 14:02:31 CEST 2020] Installing cert to:./certificates/cert.pem
[Mon Jun 15 14:02:31 CEST 2020] Installing CA to:./certificates/ca.cer
[Mon Jun 15 14:02:31 CEST 2020] Installing key to:./certificates/key.pem
[Mon Jun 15 14:02:31 CEST 2020] Installing full chain to:./certificates/fullchain.pem
$
Install the certificates by using custom secret and updating ingresscontroller CRD.
$ oc create secret tls router-certs --cert=${CERTDIR}/fullchain.pem --key=${CERTDIR}/key.pem -n openshift-ingress
secret/router-certs created
$ oc patch ingresscontroller default -n openshift-ingress-operator --type=merge --patch='{"spec": { "defaultCertificate": { "name": "router-certs" }}}'
ingresscontroller.operator.openshift.io/default patched
$
Watch the new pods to rollout
$ oc get po -w -n openshift-ingress
NAME READY STATUS RESTARTS AGE
router-default-766f78647f-4tmtg 1/1 Running 0 108m
router-default-766f78647f-wmtzk 1/1 Running 0 109m
router-default-7b95578747-gzljm 0/1 Running 0 9s
router-default-7b95578747-gzljm 1/1 Running 0 16s
router-default-766f78647f-wmtzk 1/1 Terminating 0 109m
router-default-7b95578747-8t9nk 0/1 Pending 0 0s
router-default-7b95578747-8t9nk 0/1 Pending 0 0s
router-default-7b95578747-8t9nk 0/1 ContainerCreating 0 0s
router-default-7b95578747-8t9nk 0/1 ContainerCreating 0 0s
router-default-7b95578747-8t9nk 0/1 ContainerCreating 0 2s
router-default-7b95578747-8t9nk 0/1 Running 0 3s
router-default-7b95578747-8t9nk 1/1 Running 0 14s
router-default-766f78647f-4tmtg 1/1 Terminating 0 109m
router-default-766f78647f-wmtzk 0/1 Terminating 0 109m
^C
$