Difference between revisions of "OpenShift cert-manager"
From Dogtag
m (→Creating ACME Certificate) |
m (→See Also) |
||
Line 125: | Line 125: | ||
* [https://github.com/jetstack/cert-manager OpenShift cert-manager] | * [https://github.com/jetstack/cert-manager OpenShift cert-manager] | ||
* [https://docs.cert-manager.io/en/latest/getting-started/install/openshift.html Installing on OpenShift] | * [https://docs.cert-manager.io/en/latest/getting-started/install/openshift.html Installing on OpenShift] | ||
− | |||
* [https://cert-manager.io/docs/configuration/acme/ cert-manager ACME] | * [https://cert-manager.io/docs/configuration/acme/ cert-manager ACME] | ||
* [https://cert-manager.io/docs/configuration/acme/http01/ cert-manager ACME HTTP01] | * [https://cert-manager.io/docs/configuration/acme/http01/ cert-manager ACME HTTP01] | ||
+ | * [https://cert-manager.io/docs/tutorials/acme/ingress/ Securing NGINX-ingress] |
Revision as of 01:28, 15 January 2020
Contents
Authentication
To authenticate as system:admin:
$ oc login -u system:admin
To authenticate as kubeadmin:
$ oc login -u kubeadmin -p <password> https://api.crc.testing:6443
Installing cert-manager
$ oc create namespace cert-manager $ oc apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.12.0/cert-manager-openshift.yaml
Creating ACME Issuer
Prepare the following file (e.g. acme-responder.yaml):
apiVersion: cert-manager.io/v1alpha2 kind: ClusterIssuer metadata: name: acme-responder spec: acme: email: admin@example.com server: https://acme-staging-v02.api.letsencrypt.org/directory privateKeySecretRef: name: acme-responder solvers: - http01: ingress: class: nginx
Then execute the following command:
$ oc create -f acme-responder.yaml
Verify with the following command:
$ oc describe clusterissuers/acme-responder
Creating ACME Certificate
Prepare a Certificate configuration (e.g. letsencrypt-cert.yaml):
apiVersion: cert-manager.io/v1alpha2 kind: Certificate metadata: name: acme-cert namespace: cert-manager spec: secretName: acme-cert-tls duration: 2160h renewBefore: 360h organization: - dogtagpki isCA: false keySize: 2048 keyAlgorithm: rsa keyEncoding: pkcs1 usages: - server auth - client auth dnsNames: - example.com - www.example.com issuerRef: name: acme-responder kind: ClusterIssuer
Then execute the following command:
$ oc create -f acme-cert.yaml
To check the certificate status:
$ oc describe -n cert-manager cert/acme-cert
To check the order status:
$ oc describe order -n cert-manager acme-cert-<order>
Deleting ACME Certificate
$ oc delete -n cert-manager cert/acme-cert
Deleting ACME Issuer
$ oc delete clusterissuers/acme-responder
Troubleshooting
$ oc logs -n cert-manager deploy/cert-manager -f