Difference between revisions of "OpenShift ACME"

From Dogtag
Jump to: navigation, search
m (See Also)
m
 
Line 136: Line 136:
 
* [https://github.com/tnozicka/openshift-acme openshift-acme]
 
* [https://github.com/tnozicka/openshift-acme openshift-acme]
 
* [https://jira.coreos.com/browse/WRKLDS-86 Migrate openshift-acme to v2]
 
* [https://jira.coreos.com/browse/WRKLDS-86 Migrate openshift-acme to v2]
 +
* [https://github.com/tnozicka/openshift-acme/issues/104 ACME v1 has yesterday been turned off]
 
* [[Minishift]]
 
* [[Minishift]]

Latest revision as of 19:04, 24 March 2020

Getting the Source Code

$ git clone https://github.com/tnozicka/openshift-acme.git

Installing OpenShift ACME

To configure the policy for a single namespace, execute the following commands as the namespace owner:

$ cd openshift-acme
$ oc create -fdeploy/letsencrypt-staging/single-namespace/{role,serviceaccount,imagestream,deployment}.yaml
$ oc policy add-role-to-user openshift-acme --role-namespace="$(oc project --short)" -z openshift-acme

To configure the policy for all namespaces, execute the following commands as the system administrator:

$ cd openshift-acme
$ oc create -fdeploy/letsencrypt-staging/cluster-wide/{clusterrole,serviceaccount,imagestream,deployment}.yaml
$ oc adm policy add-cluster-role-to-user openshift-acme -z openshift-acme

Configuring OpenShift ACME

To configure OpenShift ACME before deployment, edit the deployment.yaml:

spec:
  template:
    spec:
      serviceAccountName: openshift-acme
      containers:
      - name: openshift-acme
        env:
        - name: OPENSHIFT_ACME_ACMEURL
          value: "https://acme.demo.dogtagpki.org/acme/directory"
        - name: OPENSHIFT_ACME_LOGLEVEL
          value: "4"

To configure OpenShift ACME after deployment, edit the environment variables:

Delete the acme-account secret, then restart the application.

Deploying a Sample Application

$ oc create -fhttps://raw.githubusercontent.com/tnozicka/gohellouniverse/master/deploy/{deployment,service}.yaml
$ oc create route edge gohellouniverse --service=gohellouniverse

Generating ACME Certificate

Edit the route of the application:

metadata:
  annotations:
    kubernetes.io/tls-acme: 'true'

or use the following command:

$ oc patch route <route> -p '{"metadata":{"annotations":{"kubernetes.io/tls-acme":"true"}}}'                                                                                                               

OpenShift ACME will create a validation route to for HTTP-01 challenge: https://<app>-<project>.<IP address>.nip.io/.well-known/acme-challenge/<challenge>. Once the challenge is validated, the validation route will be removed, and the original route will be changed into a secure route.

Monitoring OpenShift ACME Logs

To monitor OpenShift ACME logs:

$ oc logs -f deploy/openshift-acme
...
I0923 22:03:22.701028       1 route.go:189] Updating Route from pki-demo/gohellouniverse UID=b68a9db7-de4d-11e9-b99a-02747f6a71ea RV=334426946 to pki-demo/gohellouniverse UID=b68a9db7-de4d-11e9-b99a-02747f6a71ea,RV=334427593
I0923 22:03:22.701092       1 route.go:385] Started syncing Route "pki-demo/gohellouniverse" (2019-09-23 22:03:22.701090181 +0000 UTC m=+346.469811154)
I0923 22:03:23.600964       1 client.go:22] By continuing running this program you agree to the CA's Terms of Service (https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf). If you do not agree exit the program immediately!
I0923 22:03:23.677103       1 builder.go:136] Registered new ACME account "https://acme-staging.api.letsencrypt.org/acme/reg/11123620"
I0923 22:03:23.691002       1 builder.go:162] Saved new ACME account pki-demo/acme-account
I0923 22:03:23.772027       1 route.go:440] Created authorization "https://acme-staging.api.letsencrypt.org/acme/authz-v3/9979510" for Route pki-demo/gohellouniverse
I0923 22:03:23.779186       1 route.go:387] Finished syncing Route "pki-demo/gohellouniverse" (1.078089575s)
I0923 22:03:23.779316       1 route.go:189] Updating Route from pki-demo/gohellouniverse UID=b68a9db7-de4d-11e9-b99a-02747f6a71ea RV=334427593 to pki-demo/gohellouniverse UID=b68a9db7-de4d-11e9-b99a-02747f6a71ea,RV=334427599
I0923 22:03:23.779354       1 route.go:385] Started syncing Route "pki-demo/gohellouniverse" (2019-09-23 22:03:23.779351727 +0000 UTC m=+347.548072719)
I0923 22:03:23.836336       1 route.go:483] Route "pki-demo/gohellouniverse": authorization state is "pending"
I0923 22:03:23.836362       1 client.go:83] Found 3 possible combinations for authorization
I0923 22:03:23.836370       1 client.go:90] Found 1 valid combinations for authorization
I0923 22:03:23.845388       1 exposer.go:252] Using unprivileged traffic redirection for exposing Service pki-demo/gohellouniverse-acme-p5qt7
I0923 22:03:23.851470       1 exposer.go:296] Waiting for exposing route pki-demo/gohellouniverse-acme-p5qt7 to be admitted.
I0923 22:03:23.937506       1 exposer.go:325] Exposing route pki-demo/gohellouniverse-acme-p5qt7 has been admitted. Ingresses: []v1.RouteIngress(nil)
I0923 22:03:23.937550       1 exposer.go:333] Waiting for route pki-demo/gohellouniverse-acme-p5qt7 to be exposed on the router.
I0923 22:03:23.971181       1 exposer.go:379] Key for route pki-demo/gohellouniverse-acme-p5qt7 is not yet exposed.
I0923 22:03:25.106470       1 exposer.go:379] Key for route pki-demo/gohellouniverse-acme-p5qt7 is not yet exposed.
I0923 22:03:26.621238       1 exposer.go:379] Key for route pki-demo/gohellouniverse-acme-p5qt7 is not yet exposed.
I0923 22:03:28.372258       1 exposer.go:379] Key for route pki-demo/gohellouniverse-acme-p5qt7 is not yet exposed.
I0923 22:03:30.607365       1 http.go:78] url = 'gohellouniverse-pki-demo.6923.rh-us-east-1.openshiftapps.com/.well-known/acme-challenge/YZC94EfMZtAkvK1Ab5DWyxCIyu9YANd6zDe7aaLddgU'; found = 'true'
I0923 22:03:30.608020       1 exposer.go:389] Exposing Route pki-demo/gohellouniverse-acme-p5qt7 is accessible and contains correct response.
I0923 22:03:30.795097       1 route.go:495] Re-queuing Route "pki-demo/gohellouniverse" due to pending authorization
I0923 22:03:30.795129       1 route.go:387] Finished syncing Route "pki-demo/gohellouniverse" (7.015774208s)
I0923 22:03:30.986591       1 http.go:78] url = 'gohellouniverse-pki-demo.6923.rh-us-east-1.openshiftapps.com/.well-known/acme-challenge/YZC94EfMZtAkvK1Ab5DWyxCIyu9YANd6zDe7aaLddgU'; found = 'true'
I0923 22:03:31.080429       1 http.go:78] url = 'gohellouniverse-pki-demo.6923.rh-us-east-1.openshiftapps.com/.well-known/acme-challenge/YZC94EfMZtAkvK1Ab5DWyxCIyu9YANd6zDe7aaLddgU'; found = 'true'
I0923 22:03:31.096577       1 http.go:78] url = 'gohellouniverse-pki-demo.6923.rh-us-east-1.openshiftapps.com/.well-known/acme-challenge/YZC94EfMZtAkvK1Ab5DWyxCIyu9YANd6zDe7aaLddgU'; found = 'true'
I0923 22:03:31.367623       1 http.go:78] url = 'gohellouniverse-pki-demo.6923.rh-us-east-1.openshiftapps.com/.well-known/acme-challenge/YZC94EfMZtAkvK1Ab5DWyxCIyu9YANd6zDe7aaLddgU'; found = 'true'
I0923 22:03:35.795266       1 route.go:385] Started syncing Route "pki-demo/gohellouniverse" (2019-09-23 22:03:35.795259533 +0000 UTC m=+359.563980599)
I0923 22:03:35.852061       1 route.go:483] Route "pki-demo/gohellouniverse": authorization state is "valid"
I0923 22:03:35.852085       1 route.go:515] Authorization "https://acme-staging.api.letsencrypt.org/acme/authz-v3/9979510" for Route pki-demo/gohellouniverse successfully validated
I0923 22:03:35.852096       1 route.go:523] template: x509.CertificateRequest{Raw:[]uint8(nil), RawTBSCertificateRequest:[]uint8(nil), RawSubjectPublicKeyInfo:[]uint8(nil), RawSubject:[]uint8(nil), Version:0, Signature:[]uint8(nil), SignatureAlgorithm:0, PublicKeyAlgorithm:0, PublicKey:interface {}(nil), Subject:pkix.Name{Country:[]string(nil), Organization:[]string(nil), OrganizationalUnit:[]string(nil), Locality:[]string(nil), Province:[]string(nil), StreetAddress:[]string(nil), PostalCode:[]string(nil), SerialNumber:"", CommonName:"gohellouniverse-pki-demo.6923.rh-us-east-1.openshiftapps.com", Names:[]pkix.AttributeTypeAndValue(nil), ExtraNames:[]pkix.AttributeTypeAndValue(nil)}, Attributes:[]pkix.AttributeTypeAndValueSET(nil), Extensions:[]pkix.Extension(nil), ExtraExtensions:[]pkix.Extension(nil), DNSNames:[]string{"gohellouniverse-pki-demo.6923.rh-us-east-1.openshiftapps.com"}, EmailAddresses:[]string(nil), IPAddresses:[]net.IP(nil), URIs:[]*url.URL(nil)}
I0923 22:03:36.988981       1 route.go:533] csr: "..."
I0923 22:03:37.894272       1 route.go:541] Route "pki-demo/gohellouniverse" - created certificate available at https://acme-staging.api.letsencrypt.org/acme/cert/fabb0f55bd786955acac27cc50f0c5a22ba7
I0923 22:03:37.910364       1 event.go:221] Event(v1.ObjectReference{Kind:"Route", Namespace:"pki-demo", Name:"gohellouniverse", UID:"b68a9db7-de4d-11e9-b99a-02747f6a71ea", APIVersion:"route.openshift.io/v1", ResourceVersion:"334427684", FieldPath:""}): type: 'Normal' reason: 'AcmeCertificateProvisioned' Successfully provided new certificate
I0923 22:03:37.910886       1 route.go:189] Updating Route from pki-demo/gohellouniverse UID=b68a9db7-de4d-11e9-b99a-02747f6a71ea RV=334427599 to pki-demo/gohellouniverse UID=b68a9db7-de4d-11e9-b99a-02747f6a71ea,RV=334427684
E0923 22:03:37.911531       1 event.go:203] Server rejected event '&v1.Event{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:v1.ObjectMeta{Name:"gohellouniverse.15c73067e30221bc", GenerateName:"", Namespace:"pki-demo", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:v1.Time{Time:time.Time{wall:0x0, ext:0, loc:(*time.Location)(nil)}}, DeletionTimestamp:(*v1.Time)(nil), DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Initializers:(*v1.Initializers)(nil), Finalizers:[]string(nil), ClusterName:""}, InvolvedObject:v1.ObjectReference{Kind:"Route", Namespace:"pki-demo", Name:"gohellouniverse", UID:"b68a9db7-de4d-11e9-b99a-02747f6a71ea", APIVersion:"route.openshift.io/v1", ResourceVersion:"334427684", FieldPath:""}, Reason:"AcmeCertificateProvisioned", Message:"Successfully provided new certificate", Source:v1.EventSource{Component:"openshift-acme-controller", Host:""}, FirstTimestamp:v1.Time{Time:time.Time{wall:0xbf5a6e2e764127bc, ext:361678960637, loc:(*time.Location)(0x1a5efa0)}}, LastTimestamp:v1.Time{Time:time.Time{wall:0xbf5a6e2e764127bc, ext:361678960637, loc:(*time.Location)(0x1a5efa0)}}, Count:1, Type:"Normal", EventTime:v1.MicroTime{Time:time.Time{wall:0x0, ext:0, loc:(*time.Location)(nil)}}, Series:(*v1.EventSeries)(nil), Action:"", Related:(*v1.ObjectReference)(nil), ReportingController:"", ReportingInstance:""}': 'events is forbidden: User "system:serviceaccount:pki-demo:openshift-acme" cannot create events in the namespace "pki-demo": no RBAC policy matched' (will not retry!)
I0923 22:03:37.920614       1 route.go:387] Finished syncing Route "pki-demo/gohellouniverse" (2.125349403s)
I0923 22:03:37.920644       1 route.go:385] Started syncing Route "pki-demo/gohellouniverse" (2019-09-23 22:03:37.920641789 +0000 UTC m=+361.689362811)
I0923 22:03:37.926681       1 route.go:387] Finished syncing Route "pki-demo/gohellouniverse" (6.036164ms)

Removing OpenShift ACME

$ oc delete deployment/openshift-acme
$ oc delete is/openshift-acme
$ oc delete roles/openshift-acme
$ oc delete sa/openshift-acme

See Also