Difference between revisions of "OpenShift cert-manager"

From Dogtag
Jump to: navigation, search
m (Deleting ACME Certificate)
m (Deleting ACME Certificate)
(3 intermediate revisions by the same user not shown)
Line 28: Line 28:
 
kind: ClusterIssuer
 
kind: ClusterIssuer
 
metadata:
 
metadata:
   name: letsencrypt-staging
+
   name: acme-responder
 
spec:
 
spec:
 
   acme:
 
   acme:
Line 34: Line 34:
 
     server: https://acme-staging-v02.api.letsencrypt.org/directory
 
     server: https://acme-staging-v02.api.letsencrypt.org/directory
 
     privateKeySecretRef:
 
     privateKeySecretRef:
       name: letsencrypt-staging
+
       name: acme-responder
 
     solvers:
 
     solvers:
 
     - http01:
 
     - http01:
Line 45: Line 45:
  
 
<pre>
 
<pre>
$ oc create -f letsencrypt-staging.yaml
+
$ oc create -f acme-responder.yaml
 
</pre>
 
</pre>
  
Line 51: Line 51:
  
 
<pre>
 
<pre>
$ oc describe clusterissuers/letsencrypt-staging
+
$ oc describe clusterissuers/acme-responder
 
</pre>
 
</pre>
  
Line 62: Line 62:
 
kind: Certificate
 
kind: Certificate
 
metadata:
 
metadata:
   name: example-com
+
   name: acme-cert
 
   namespace: cert-manager
 
   namespace: cert-manager
 
spec:
 
spec:
   secretName: example-com-tls
+
   secretName: acme-cert-tls
 
   duration: 2160h
 
   duration: 2160h
 
   renewBefore: 360h
 
   renewBefore: 360h
Line 81: Line 81:
 
   - www.example.com
 
   - www.example.com
 
   issuerRef:
 
   issuerRef:
     name: letsencrypt-staging
+
     name: acme-responder
 
     kind: ClusterIssuer
 
     kind: ClusterIssuer
 
</pre>
 
</pre>
Line 88: Line 88:
  
 
<pre>
 
<pre>
$ oc create -f letsencrypt-cert.yaml
+
$ oc create -f acme-cert.yaml
 
</pre>
 
</pre>
  
Line 94: Line 94:
  
 
<pre>
 
<pre>
$ oc describe cert/example-com -n cert-manager
+
$ oc describe cert/acme-cert -n cert-manager
 
</pre>
 
</pre>
  
Line 100: Line 100:
  
 
<pre>
 
<pre>
$ oc delete cert/example-com -n cert-manager
+
$ oc delete cert/acme-cert -n cert-manager
 
</pre>
 
</pre>
  
Line 106: Line 106:
  
 
<pre>
 
<pre>
$ oc delete clusterissuers/letsencrypt-staging
+
$ oc delete clusterissuers/acme-responder
 
</pre>
 
</pre>
  

Revision as of 06:03, 14 January 2020

Authentication

To authenticate as system:admin:

$ oc login -u system:admin

To authenticate as kubeadmin:

$ oc login -u kubeadmin -p <password> https://api.crc.testing:6443

Installing cert-manager

$ oc create namespace cert-manager
$ oc apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.12.0/cert-manager-openshift.yaml

Creating ACME Issuer

Prepare the following file (e.g. letsencrypt-staging.yaml):

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: acme-responder
spec:
  acme:
    email: admin@example.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: acme-responder
    solvers:
    - http01:
       ingress:
         class: nginx

Then execute the following command:

$ oc create -f acme-responder.yaml

Verify with the following command:

$ oc describe clusterissuers/acme-responder

Creating ACME Certificate

Prepare a Certificate configuration (e.g. letsencrypt-cert.yaml):

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: acme-cert
  namespace: cert-manager
spec:
  secretName: acme-cert-tls
  duration: 2160h
  renewBefore: 360h
  organization:
  - dogtagpki
  isCA: false
  keySize: 2048
  keyAlgorithm: rsa
  keyEncoding: pkcs1
  usages:
    - server auth
    - client auth
  dnsNames:
  - example.com
  - www.example.com
  issuerRef:
    name: acme-responder
    kind: ClusterIssuer

Then execute the following command:

$ oc create -f acme-cert.yaml

To verify the certificate:

$ oc describe cert/acme-cert -n cert-manager

Deleting ACME Certificate

$ oc delete cert/acme-cert -n cert-manager

Deleting ACME Issuer

$ oc delete clusterissuers/acme-responder

See Also