Difference between revisions of "OpenShift cert-manager"
From Dogtag
m (→Deleting ACME Certificate) |
m (→Deleting ACME Certificate) |
||
(3 intermediate revisions by the same user not shown) | |||
Line 28: | Line 28: | ||
kind: ClusterIssuer | kind: ClusterIssuer | ||
metadata: | metadata: | ||
− | name: | + | name: acme-responder |
spec: | spec: | ||
acme: | acme: | ||
Line 34: | Line 34: | ||
server: https://acme-staging-v02.api.letsencrypt.org/directory | server: https://acme-staging-v02.api.letsencrypt.org/directory | ||
privateKeySecretRef: | privateKeySecretRef: | ||
− | name: | + | name: acme-responder |
solvers: | solvers: | ||
- http01: | - http01: | ||
Line 45: | Line 45: | ||
<pre> | <pre> | ||
− | $ oc create -f | + | $ oc create -f acme-responder.yaml |
</pre> | </pre> | ||
Line 51: | Line 51: | ||
<pre> | <pre> | ||
− | $ oc describe clusterissuers/ | + | $ oc describe clusterissuers/acme-responder |
</pre> | </pre> | ||
Line 62: | Line 62: | ||
kind: Certificate | kind: Certificate | ||
metadata: | metadata: | ||
− | name: | + | name: acme-cert |
namespace: cert-manager | namespace: cert-manager | ||
spec: | spec: | ||
− | secretName: | + | secretName: acme-cert-tls |
duration: 2160h | duration: 2160h | ||
renewBefore: 360h | renewBefore: 360h | ||
Line 81: | Line 81: | ||
- www.example.com | - www.example.com | ||
issuerRef: | issuerRef: | ||
− | name: | + | name: acme-responder |
kind: ClusterIssuer | kind: ClusterIssuer | ||
</pre> | </pre> | ||
Line 88: | Line 88: | ||
<pre> | <pre> | ||
− | $ oc create -f | + | $ oc create -f acme-cert.yaml |
</pre> | </pre> | ||
Line 94: | Line 94: | ||
<pre> | <pre> | ||
− | $ oc describe cert/ | + | $ oc describe cert/acme-cert -n cert-manager |
</pre> | </pre> | ||
Line 100: | Line 100: | ||
<pre> | <pre> | ||
− | $ oc delete cert/ | + | $ oc delete cert/acme-cert -n cert-manager |
</pre> | </pre> | ||
Line 106: | Line 106: | ||
<pre> | <pre> | ||
− | $ oc delete clusterissuers/ | + | $ oc delete clusterissuers/acme-responder |
</pre> | </pre> | ||
Revision as of 06:03, 14 January 2020
Contents
Authentication
To authenticate as system:admin:
$ oc login -u system:admin
To authenticate as kubeadmin:
$ oc login -u kubeadmin -p <password> https://api.crc.testing:6443
Installing cert-manager
$ oc create namespace cert-manager $ oc apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.12.0/cert-manager-openshift.yaml
Creating ACME Issuer
Prepare the following file (e.g. letsencrypt-staging.yaml):
apiVersion: cert-manager.io/v1alpha2 kind: ClusterIssuer metadata: name: acme-responder spec: acme: email: admin@example.com server: https://acme-staging-v02.api.letsencrypt.org/directory privateKeySecretRef: name: acme-responder solvers: - http01: ingress: class: nginx
Then execute the following command:
$ oc create -f acme-responder.yaml
Verify with the following command:
$ oc describe clusterissuers/acme-responder
Creating ACME Certificate
Prepare a Certificate configuration (e.g. letsencrypt-cert.yaml):
apiVersion: cert-manager.io/v1alpha2 kind: Certificate metadata: name: acme-cert namespace: cert-manager spec: secretName: acme-cert-tls duration: 2160h renewBefore: 360h organization: - dogtagpki isCA: false keySize: 2048 keyAlgorithm: rsa keyEncoding: pkcs1 usages: - server auth - client auth dnsNames: - example.com - www.example.com issuerRef: name: acme-responder kind: ClusterIssuer
Then execute the following command:
$ oc create -f acme-cert.yaml
To verify the certificate:
$ oc describe cert/acme-cert -n cert-manager
Deleting ACME Certificate
$ oc delete cert/acme-cert -n cert-manager
Deleting ACME Issuer
$ oc delete clusterissuers/acme-responder