Difference between revisions of "OpenShift cert-manager"

From Dogtag
Jump to: navigation, search
m
m (Deleting ACME Certificate)
(9 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Installation =
+
= Authentication =
 +
 
 +
To authenticate as system:admin:
  
 
<pre>
 
<pre>
 
$ oc login -u system:admin
 
$ oc login -u system:admin
 +
</pre>
 +
 +
To authenticate as kubeadmin:
 +
 +
<pre>
 +
$ oc login -u kubeadmin -p <password> https://api.crc.testing:6443
 +
</pre>
 +
 +
= Installing cert-manager =
 +
 +
<pre>
 
$ oc create namespace cert-manager
 
$ oc create namespace cert-manager
$ oc apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.11.0/cert-manager-openshift.yaml
+
$ oc apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.12.0/cert-manager-openshift.yaml
 +
</pre>
 +
 
 +
= Creating ACME Issuer =
 +
 
 +
Prepare the following file (e.g. letsencrypt-staging.yaml):
 +
 
 +
<pre>
 +
apiVersion: cert-manager.io/v1alpha2
 +
kind: ClusterIssuer
 +
metadata:
 +
  name: letsencrypt-staging
 +
spec:
 +
  acme:
 +
    email: admin@example.com
 +
    server: https://acme-staging-v02.api.letsencrypt.org/directory
 +
    privateKeySecretRef:
 +
      name: letsencrypt-staging
 +
    solvers:
 +
    - http01:
 +
      ingress:
 +
        class: nginx
 +
 
 +
</pre>
 +
 
 +
Then execute the following command:
 +
 
 +
<pre>
 +
$ oc create -f letsencrypt-staging.yaml
 +
</pre>
 +
 
 +
Verify with the following command:
 +
 
 +
<pre>
 +
$ oc describe clusterissuers/letsencrypt-staging
 +
</pre>
 +
 
 +
= Creating ACME Certificate =
 +
 
 +
Prepare a Certificate configuration (e.g. letsencrypt-cert.yaml):
 +
 
 +
<pre>
 +
apiVersion: cert-manager.io/v1alpha2
 +
kind: Certificate
 +
metadata:
 +
  name: example-com
 +
  namespace: cert-manager
 +
spec:
 +
  secretName: example-com-tls
 +
  duration: 2160h
 +
  renewBefore: 360h
 +
  organization:
 +
  - dogtagpki
 +
  isCA: false
 +
  keySize: 2048
 +
  keyAlgorithm: rsa
 +
  keyEncoding: pkcs1
 +
  usages:
 +
    - server auth
 +
    - client auth
 +
  dnsNames:
 +
  - example.com
 +
  - www.example.com
 +
  issuerRef:
 +
    name: letsencrypt-staging
 +
    kind: ClusterIssuer
 +
</pre>
 +
 
 +
Then execute the following command:
 +
 
 +
<pre>
 +
$ oc create -f letsencrypt-cert.yaml
 +
</pre>
 +
 
 +
To verify the certificate:
 +
 
 +
<pre>
 +
$ oc describe cert/example-com -n cert-manager
 +
</pre>
 +
 
 +
= Deleting ACME Certificate =
 +
 
 +
<pre>
 +
$ oc delete cert/example-com -n cert-manager
 +
</pre>
 +
 
 +
= Deleting ACME Issuer =
 +
 
 +
<pre>
 +
$ oc delete clusterissuers/letsencrypt-staging
 
</pre>
 
</pre>
  
Line 13: Line 115:
 
* [https://docs.cert-manager.io/en/latest/getting-started/install/openshift.html Installing on OpenShift]
 
* [https://docs.cert-manager.io/en/latest/getting-started/install/openshift.html Installing on OpenShift]
 
* [https://github.com/jetstack/cert-manager/pull/1648 Add support for ACMEv2 POST-as-GET]
 
* [https://github.com/jetstack/cert-manager/pull/1648 Add support for ACMEv2 POST-as-GET]
 +
* [https://cert-manager.io/docs/configuration/acme/ cert-manager ACME]
 +
* [https://cert-manager.io/docs/configuration/acme/http01/ cert-manager ACME HTTP01]

Revision as of 03:41, 14 January 2020

Authentication

To authenticate as system:admin:

$ oc login -u system:admin

To authenticate as kubeadmin:

$ oc login -u kubeadmin -p <password> https://api.crc.testing:6443

Installing cert-manager

$ oc create namespace cert-manager
$ oc apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.12.0/cert-manager-openshift.yaml

Creating ACME Issuer

Prepare the following file (e.g. letsencrypt-staging.yaml):

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    email: admin@example.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - http01:
       ingress:
         class: nginx

Then execute the following command:

$ oc create -f letsencrypt-staging.yaml

Verify with the following command:

$ oc describe clusterissuers/letsencrypt-staging

Creating ACME Certificate

Prepare a Certificate configuration (e.g. letsencrypt-cert.yaml):

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: example-com
  namespace: cert-manager
spec:
  secretName: example-com-tls
  duration: 2160h
  renewBefore: 360h
  organization:
  - dogtagpki
  isCA: false
  keySize: 2048
  keyAlgorithm: rsa
  keyEncoding: pkcs1
  usages:
    - server auth
    - client auth
  dnsNames:
  - example.com
  - www.example.com
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer

Then execute the following command:

$ oc create -f letsencrypt-cert.yaml

To verify the certificate:

$ oc describe cert/example-com -n cert-manager

Deleting ACME Certificate

$ oc delete cert/example-com -n cert-manager

Deleting ACME Issuer

$ oc delete clusterissuers/letsencrypt-staging

See Also