Difference between revisions of "OpenShift cert-manager"
From Dogtag
m (→Deleting ACME Certificate) |
m (→Creating ACME Certificate) |
||
| (5 intermediate revisions by the same user not shown) | |||
| Line 22: | Line 22: | ||
= Creating ACME Issuer = | = Creating ACME Issuer = | ||
| − | Prepare the following file (e.g. | + | Prepare the following file (e.g. acme-responder.yaml): |
<pre> | <pre> | ||
| Line 39: | Line 39: | ||
ingress: | ingress: | ||
class: nginx | class: nginx | ||
| − | |||
</pre> | </pre> | ||
| Line 91: | Line 90: | ||
</pre> | </pre> | ||
| − | To | + | To check the certificate status: |
<pre> | <pre> | ||
| − | $ oc describe cert/acme-cert -n cert-manager | + | $ oc describe -n cert-manager cert/acme-cert |
| + | </pre> | ||
| + | |||
| + | To check the order status: | ||
| + | |||
| + | <pre> | ||
| + | $ oc describe order -n cert-manager acme-cert-<order> | ||
</pre> | </pre> | ||
| Line 100: | Line 105: | ||
<pre> | <pre> | ||
| − | $ oc delete cert/acme-cert | + | $ oc delete -n cert-manager cert/acme-cert |
</pre> | </pre> | ||
| Line 107: | Line 112: | ||
<pre> | <pre> | ||
$ oc delete clusterissuers/acme-responder | $ oc delete clusterissuers/acme-responder | ||
| + | </pre> | ||
| + | |||
| + | = Troubleshooting = | ||
| + | |||
| + | <pre> | ||
| + | $ oc logs -n cert-manager deploy/cert-manager -f | ||
</pre> | </pre> | ||
Revision as of 19:41, 14 January 2020
Contents
Authentication
To authenticate as system:admin:
$ oc login -u system:admin
To authenticate as kubeadmin:
$ oc login -u kubeadmin -p <password> https://api.crc.testing:6443
Installing cert-manager
$ oc create namespace cert-manager $ oc apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.12.0/cert-manager-openshift.yaml
Creating ACME Issuer
Prepare the following file (e.g. acme-responder.yaml):
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: acme-responder
spec:
acme:
email: admin@example.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: acme-responder
solvers:
- http01:
ingress:
class: nginx
Then execute the following command:
$ oc create -f acme-responder.yaml
Verify with the following command:
$ oc describe clusterissuers/acme-responder
Creating ACME Certificate
Prepare a Certificate configuration (e.g. letsencrypt-cert.yaml):
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: acme-cert
namespace: cert-manager
spec:
secretName: acme-cert-tls
duration: 2160h
renewBefore: 360h
organization:
- dogtagpki
isCA: false
keySize: 2048
keyAlgorithm: rsa
keyEncoding: pkcs1
usages:
- server auth
- client auth
dnsNames:
- example.com
- www.example.com
issuerRef:
name: acme-responder
kind: ClusterIssuer
Then execute the following command:
$ oc create -f acme-cert.yaml
To check the certificate status:
$ oc describe -n cert-manager cert/acme-cert
To check the order status:
$ oc describe order -n cert-manager acme-cert-<order>
Deleting ACME Certificate
$ oc delete -n cert-manager cert/acme-cert
Deleting ACME Issuer
$ oc delete clusterissuers/acme-responder
Troubleshooting
$ oc logs -n cert-manager deploy/cert-manager -f
