Let’s Automate :: Let’s Encrypt TLS Certs for OpenShift 4

Red Hat OpenShift installer by default uses self-signed certificates to encrypt the communication with the web console as well as applications exposed via OpenShift Route. Self-signed certs generally suffice your dev/test environments however, for production environments, it's highly recommended to use proper certificates to secure all your OpenShift routes.

In this post, you will learn how to request TLS certificates from Let’s Encrypt and apply those to your OpenShift 4 cluster as a post-installation step.

Prerequisite

• Up and running OpenShift4 cluster
• Registered domain name with access to DNS management (see supported DNS providers here)

Get .. Set .. Go !!

Part — 1 : Certificate Generation

• Clone acmesh-official repository

cd $HOME
git clone https://github.com/acmesh-official/acme.sh.git
cd acme.sh

Note: In my case, I use AWS Route 53 as my DNS manager + domain registrar

• AWS Console → IAM → Add User
• Provide “User Name” → select “Programmatic Access”
• Click the 3rd icon “Attach existing policies directly"
• Click “Create Policy” and in the new window choose “Create Your Own Policy”
• Enter a name to your policy and paste the following

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:GetHostedZone",
                "route53:ListHostedZones",
                "route53:ListHostedZonesByName",
                "route53:GetHostedZoneCount",
                "route53:ChangeResourceRecordSets",
                "route53:ListResourceRecordSets"
            ],
            "Resource": "*"
        }
    ]
}

• Validate the policy and click create. Apply the new policy to your new user.
• Grab the API keys, that we will use with acme.sh
• Login to OpenShift CLI with system:admin priviliges and export important variables

export AWS_ACCESS_KEY_ID=<your_access_key_id>
export AWS_SECRET_ACCESS_KEY=<your_access_key_id>
export LE_API=$(oc whoami --show-server | cut -f 2 -d ':' | cut -f 3 -d '/' | sed 's/-api././')
export LE_WILDCARD=$(oc get ingresscontroller default -n openshift-ingress-operator -o jsonpath='{.status.domain}')

TIP: If you are using zsh shell , open a new terminal and start BASH shell, login to Openshift CLI

• From the same shell where you have exported the above variables, run the acme.sh script

{HOME}/acme.sh/acme.sh --issue -d ${LE_API} -d *.${LE_WILDCARD} --dns dns_aws

• Move the certificates from the acme.sh default path to a well-known directory.

export CERTDIR=$HOME/certificates

mkdir -p ${CERTDIR}

${HOME}/acme.sh/acme.sh --install-cert -d ${LE_API} -d *.${LE_WILDCARD} --cert-file ${CERTDIR}/cert.pem --key-file ${CERTDIR}/key.pem --fullchain-file ${CERTDIR}/fullchain.pem --ca-file ${CERTDIR}/ca.cer

Part — 2 : Installing Certificate

• OpenShift router expects the certificate in a secret, lets create a secret

oc create secret tls router-certs --cert=${CERTDIR}/fullchain.pem --key=${CERTDIR}/key.pem -n openshift-ingress

• Update OpenShift router CR

oc patch ingresscontroller default -n openshift-ingress-operator --type=merge --patch='{"spec": { "defaultCertificate": { "name": "router-certs" }}}'

• At this point, you have completed all the steps. The OpenShift ingress operator will notice the change in router CR and will re-deploy the router pods.

oc get po -n openshift-ingress

• To verify your freshly installed certificate, grab your OpenShift Console URL and hit that in your browser with HTTPS

oc get route -n openshift-console

OpenShift Console with Let’s Encrypt certificate

• All your application exposed routes will now be accessible on HTTPs

Bonus: Exposing Ceph S3 Route on HTTPs

oc project openshift-storage
 
oc get svc
oc create route edge --service=rook-ceph-rgw-s3a -n openshift-storage
oc get route 

OpenShift Container Storage RGW route on Let’s Encrypt HTTPs

That’s All Folks \o/