Let’s Automate :: Let’s Encrypt TLS Certs for OpenShift 4

Red Hat OpenShift installer by default uses self-signed certificates to encrypt the communication with the web console as well as applications exposed via OpenShift Route. Self-signed certs generally suffice your dev/test environments however, for production environments, it's highly recommended to use proper certificates to secure all your OpenShift routes.

In this post, you will learn how to request TLS certificates from Let’s Encrypt and apply those to your OpenShift 4 cluster as a post-installation step.

Prerequisite

  • Up and running OpenShift4 cluster
  • Registered domain name with access to DNS management (see supported DNS providers here)

Get .. Set .. Go !!

Part — 1 : Certificate Generation

  • Clone acmesh-official repository
cd $HOME
git clone https://github.com/acmesh-official/acme.sh.git
cd acme.sh

Note: In my case, I use AWS Route 53 as my DNS manager + domain registrar

  • AWS Console → IAM → Add User
  • Provide “User Name” → select “Programmatic Access”
  • Click the 3rd icon “Attach existing policies directly"
  • Click “Create Policy” and in the new window choose “Create Your Own Policy”
  • Enter a name to your policy and paste the following
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListHostedZonesByName",
"route53:GetHostedZoneCount",
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets"
],
"Resource": "*"
}
]
}
  • Validate the policy and click create. Apply the new policy to your new user.
  • Grab the API keys, that we will use with acme.sh
  • Login to OpenShift CLI with system:admin priviliges and export important variables
export AWS_ACCESS_KEY_ID=<your_access_key_id>
export AWS_SECRET_ACCESS_KEY=<your_access_key_id>
export LE_API=$(oc whoami --show-server | cut -f 2 -d ':' | cut -f 3 -d '/' | sed 's/-api././')export LE_WILDCARD=$(oc get ingresscontroller default -n openshift-ingress-operator -o jsonpath='{.status.domain}')

TIP: If you are using zsh shell , open a new terminal and start BASH shell, login to Openshift CLI

  • From the same shell where you have exported the above variables, run the acme.sh script
{HOME}/acme.sh/acme.sh --issue -d ${LE_API} -d *.${LE_WILDCARD} --dns dns_aws
  • Move the certificates from the acme.sh default path to a well-known directory.
export CERTDIR=$HOME/certificates

mkdir -p ${CERTDIR}

${HOME}/acme.sh/acme.sh --install-cert -d ${LE_API} -d *.${LE_WILDCARD} --cert-file ${CERTDIR}/cert.pem --key-file ${CERTDIR}/key.pem --fullchain-file ${CERTDIR}/fullchain.pem --ca-file ${CERTDIR}/ca.cer

Part — 2 : Installing Certificate

  • OpenShift router expects the certificate in a secret, lets create a secret
oc create secret tls router-certs --cert=${CERTDIR}/fullchain.pem --key=${CERTDIR}/key.pem -n openshift-ingress
  • Update OpenShift router CR
oc patch ingresscontroller default -n openshift-ingress-operator --type=merge --patch='{"spec": { "defaultCertificate": { "name": "router-certs" }}}'
  • At this point, you have completed all the steps. The OpenShift ingress operator will notice the change in router CR and will re-deploy the router pods.
oc get po -n openshift-ingress
  • To verify your freshly installed certificate, grab your OpenShift Console URL and hit that in your browser with HTTPS
oc get route -n openshift-console
OpenShift Console with Let’s Encrypt certificate
  • All your application exposed routes will now be accessible on HTTPs

Bonus: Exposing Ceph S3 Route on HTTPs

oc project openshift-storage

oc get svc
oc create route edge --service=rook-ceph-rgw-s3a -n openshift-storageoc get route
OpenShift Container Storage RGW route on Let’s Encrypt HTTPs

That’s All Folks \o/

--

--

--

Senior Principal Architect & Developer Evangelist @ Red Hat ♦ Loves K8s, OpenShift, Cloud-Native, Serverless, Hybrid-Multi-Cloud, Distributed Systems

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Sandboxing Applications is the Future — How to Sandbox Your Personal Data and Have It Work For You

Kubernetes Namespaces stuck in Terminating State

Overthinking, or: How I learned to stop worrying and love the bomb

Attention New Devs: Professionals Google Stuff. A Lot.

How to install modules with PIP (and fix it when it fails)

What I Learned at Work this Week: aria-label and aria-labelledby

Why don’t apps match brains?

Dynamic Programming? Huh?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Karan Singh

Karan Singh

Senior Principal Architect & Developer Evangelist @ Red Hat ♦ Loves K8s, OpenShift, Cloud-Native, Serverless, Hybrid-Multi-Cloud, Distributed Systems

More from Medium

Getting Started with Minikube Kubernetes

Build and deploy PHP Guestbook application on Local Kubernetes with Skaffold

Rancher is a platform for k8s