Difference between revisions of "OpenShift cert-manager"

From Dogtag
Jump to: navigation, search
m (Creating ACME Certificate)
m (See Also)
Line 125: Line 125:
 
* [https://github.com/jetstack/cert-manager OpenShift cert-manager]
 
* [https://github.com/jetstack/cert-manager OpenShift cert-manager]
 
* [https://docs.cert-manager.io/en/latest/getting-started/install/openshift.html Installing on OpenShift]
 
* [https://docs.cert-manager.io/en/latest/getting-started/install/openshift.html Installing on OpenShift]
* [https://github.com/jetstack/cert-manager/pull/1648 Add support for ACMEv2 POST-as-GET]
 
 
* [https://cert-manager.io/docs/configuration/acme/ cert-manager ACME]
 
* [https://cert-manager.io/docs/configuration/acme/ cert-manager ACME]
 
* [https://cert-manager.io/docs/configuration/acme/http01/ cert-manager ACME HTTP01]
 
* [https://cert-manager.io/docs/configuration/acme/http01/ cert-manager ACME HTTP01]
 +
* [https://cert-manager.io/docs/tutorials/acme/ingress/ Securing NGINX-ingress]

Revision as of 01:28, 15 January 2020

Authentication

To authenticate as system:admin:

$ oc login -u system:admin

To authenticate as kubeadmin:

$ oc login -u kubeadmin -p <password> https://api.crc.testing:6443

Installing cert-manager

$ oc create namespace cert-manager
$ oc apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.12.0/cert-manager-openshift.yaml

Creating ACME Issuer

Prepare the following file (e.g. acme-responder.yaml):

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: acme-responder
spec:
  acme:
    email: admin@example.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: acme-responder
    solvers:
    - http01:
       ingress:
         class: nginx

Then execute the following command:

$ oc create -f acme-responder.yaml

Verify with the following command:

$ oc describe clusterissuers/acme-responder

Creating ACME Certificate

Prepare a Certificate configuration (e.g. letsencrypt-cert.yaml):

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: acme-cert
  namespace: cert-manager
spec:
  secretName: acme-cert-tls
  duration: 2160h
  renewBefore: 360h
  organization:
  - dogtagpki
  isCA: false
  keySize: 2048
  keyAlgorithm: rsa
  keyEncoding: pkcs1
  usages:
    - server auth
    - client auth
  dnsNames:
  - example.com
  - www.example.com
  issuerRef:
    name: acme-responder
    kind: ClusterIssuer

Then execute the following command:

$ oc create -f acme-cert.yaml

To check the certificate status:

$ oc describe -n cert-manager cert/acme-cert

To check the order status:

$ oc describe order -n cert-manager acme-cert-<order>

Deleting ACME Certificate

$ oc delete -n cert-manager cert/acme-cert

Deleting ACME Issuer

$ oc delete clusterissuers/acme-responder

Troubleshooting

$ oc logs -n cert-manager deploy/cert-manager -f

See Also