Difference between revisions of "OpenShift cert-manager"
From Dogtag
m (→Deleting ACME Certificate) |
m (→Deleting ACME Certificate) |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 28: | Line 28: | ||
kind: ClusterIssuer | kind: ClusterIssuer | ||
metadata: | metadata: | ||
| − | name: | + | name: acme-responder |
spec: | spec: | ||
acme: | acme: | ||
| Line 34: | Line 34: | ||
server: https://acme-staging-v02.api.letsencrypt.org/directory | server: https://acme-staging-v02.api.letsencrypt.org/directory | ||
privateKeySecretRef: | privateKeySecretRef: | ||
| − | name: | + | name: acme-responder |
solvers: | solvers: | ||
- http01: | - http01: | ||
| Line 45: | Line 45: | ||
<pre> | <pre> | ||
| − | $ oc create -f | + | $ oc create -f acme-responder.yaml |
</pre> | </pre> | ||
| Line 51: | Line 51: | ||
<pre> | <pre> | ||
| − | $ oc describe clusterissuers/ | + | $ oc describe clusterissuers/acme-responder |
</pre> | </pre> | ||
| Line 62: | Line 62: | ||
kind: Certificate | kind: Certificate | ||
metadata: | metadata: | ||
| − | name: | + | name: acme-cert |
namespace: cert-manager | namespace: cert-manager | ||
spec: | spec: | ||
| − | secretName: | + | secretName: acme-cert-tls |
duration: 2160h | duration: 2160h | ||
renewBefore: 360h | renewBefore: 360h | ||
| Line 81: | Line 81: | ||
- www.example.com | - www.example.com | ||
issuerRef: | issuerRef: | ||
| − | name: | + | name: acme-responder |
kind: ClusterIssuer | kind: ClusterIssuer | ||
</pre> | </pre> | ||
| Line 88: | Line 88: | ||
<pre> | <pre> | ||
| − | $ oc create -f | + | $ oc create -f acme-cert.yaml |
</pre> | </pre> | ||
| Line 94: | Line 94: | ||
<pre> | <pre> | ||
| − | $ oc describe cert/ | + | $ oc describe cert/acme-cert -n cert-manager |
</pre> | </pre> | ||
| Line 100: | Line 100: | ||
<pre> | <pre> | ||
| − | $ oc delete cert/ | + | $ oc delete cert/acme-cert -n cert-manager |
</pre> | </pre> | ||
| Line 106: | Line 106: | ||
<pre> | <pre> | ||
| − | $ oc delete clusterissuers/ | + | $ oc delete clusterissuers/acme-responder |
</pre> | </pre> | ||
Revision as of 06:03, 14 January 2020
Contents
Authentication
To authenticate as system:admin:
$ oc login -u system:admin
To authenticate as kubeadmin:
$ oc login -u kubeadmin -p <password> https://api.crc.testing:6443
Installing cert-manager
$ oc create namespace cert-manager $ oc apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.12.0/cert-manager-openshift.yaml
Creating ACME Issuer
Prepare the following file (e.g. letsencrypt-staging.yaml):
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: acme-responder
spec:
acme:
email: admin@example.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: acme-responder
solvers:
- http01:
ingress:
class: nginx
Then execute the following command:
$ oc create -f acme-responder.yaml
Verify with the following command:
$ oc describe clusterissuers/acme-responder
Creating ACME Certificate
Prepare a Certificate configuration (e.g. letsencrypt-cert.yaml):
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: acme-cert
namespace: cert-manager
spec:
secretName: acme-cert-tls
duration: 2160h
renewBefore: 360h
organization:
- dogtagpki
isCA: false
keySize: 2048
keyAlgorithm: rsa
keyEncoding: pkcs1
usages:
- server auth
- client auth
dnsNames:
- example.com
- www.example.com
issuerRef:
name: acme-responder
kind: ClusterIssuer
Then execute the following command:
$ oc create -f acme-cert.yaml
To verify the certificate:
$ oc describe cert/acme-cert -n cert-manager
Deleting ACME Certificate
$ oc delete cert/acme-cert -n cert-manager
Deleting ACME Issuer
$ oc delete clusterissuers/acme-responder
