Difference between revisions of "OpenShift cert-manager"

From Dogtag
Jump to: navigation, search
m (Deleting ACME Certificate)
m (Creating ACME Issuer)
 
(31 intermediate revisions by the same user not shown)
Line 14: Line 14:
  
 
= Installing cert-manager =
 
= Installing cert-manager =
 +
 +
To install cert-manager:
  
 
<pre>
 
<pre>
 
$ oc create namespace cert-manager
 
$ oc create namespace cert-manager
$ oc apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.12.0/cert-manager-openshift.yaml
+
$ oc apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.0/cert-manager.yaml
 +
</pre>
 +
 
 +
To verify the installation:
 +
 
 +
<pre>
 +
$ oc get pods -n cert-manager
 +
NAME                                      READY    STATUS    RESTARTS  AGE
 +
cert-manager-57cdd66b-ws6nc                1/1      Running  0          30s
 +
cert-manager-cainjector-79f4496665-k7cbz  1/1      Running  0          30s
 +
cert-manager-webhook-6d57dbf4f-dvqml      1/1      Running  0          30s
 
</pre>
 
</pre>
  
 
= Creating ACME Issuer =
 
= Creating ACME Issuer =
  
Prepare the following file (e.g. letsencrypt-staging.yaml):
+
To create an issuer, prepare the following file (e.g. acme.yaml):
  
 
<pre>
 
<pre>
Line 28: Line 40:
 
kind: ClusterIssuer
 
kind: ClusterIssuer
 
metadata:
 
metadata:
   name: acme-responder
+
   name: acme-issuer
 
spec:
 
spec:
 
   acme:
 
   acme:
 
     email: admin@example.com
 
     email: admin@example.com
     server: https://acme-staging-v02.api.letsencrypt.org/directory
+
     server: https://acme.demo.dogtagpki.org/acme/directory
 
     privateKeySecretRef:
 
     privateKeySecretRef:
       name: acme-responder
+
       name: acme-issuer-account-key
 
     solvers:
 
     solvers:
 
     - http01:
 
     - http01:
 
       ingress:
 
       ingress:
 
         class: nginx
 
         class: nginx
 
 
</pre>
 
</pre>
  
Line 45: Line 56:
  
 
<pre>
 
<pre>
$ oc create -f acme-responder.yaml
+
$ oc create -f acme-issuer.yaml
 
</pre>
 
</pre>
  
Line 51: Line 62:
  
 
<pre>
 
<pre>
$ oc describe clusterissuers/acme-responder
+
$ oc describe clusterissuers acme-issuer
 +
    ...
 +
    Message:              The ACME account was registered with the ACME server
 +
    Reason:                ACMEAccountRegistered
 +
    ...
 +
</pre>
 +
 
 +
To delete the issuer:
 +
 
 +
<pre>
 +
$ oc delete clusterissuers acme-issuer
 +
$ oc delete secret acme-issuer-account-key -n cert-manager
 
</pre>
 
</pre>
  
 
= Creating ACME Certificate =
 
= Creating ACME Certificate =
  
Prepare a Certificate configuration (e.g. letsencrypt-cert.yaml):
+
Prepare a Certificate configuration (e.g. acme-cert.yaml):
  
 
<pre>
 
<pre>
Line 63: Line 85:
 
metadata:
 
metadata:
 
   name: acme-cert
 
   name: acme-cert
  namespace: cert-manager
 
 
spec:
 
spec:
 
   secretName: acme-cert-tls
 
   secretName: acme-cert-tls
  duration: 2160h
 
  renewBefore: 360h
 
  organization:
 
  - dogtagpki
 
  isCA: false
 
  keySize: 2048
 
  keyAlgorithm: rsa
 
  keyEncoding: pkcs1
 
  usages:
 
    - server auth
 
    - client auth
 
 
   dnsNames:
 
   dnsNames:
  - example.com
 
 
   - www.example.com
 
   - www.example.com
 
   issuerRef:
 
   issuerRef:
     name: acme-responder
+
     name: acme-issuer
 
     kind: ClusterIssuer
 
     kind: ClusterIssuer
 
</pre>
 
</pre>
Line 91: Line 100:
 
</pre>
 
</pre>
  
To verify the certificate:
+
To check the certificate status:
 +
 
 +
<pre>
 +
$ oc describe certificate acme-cert
 +
    ...
 +
    Message:              Waiting for CertificateRequest "acme-cert-<request>" to complete
 +
    Reason:                InProgress
 +
    ...
 +
</pre>
 +
 
 +
To check the certificate request status:
  
 
<pre>
 
<pre>
$ oc describe cert/acme-cert -n cert-manager
+
$ oc describe certificaterequest acme-cert-<request>
 +
</pre>
 +
 
 +
To check the order status:
 +
 
 +
<pre>
 +
$ oc describe order acme-cert-<order>
 +
    ...
 +
    Challenges:
 +
      Token:    <token>
 +
      Type:      dns-01
 +
      URL:      http://acme.default.svc.cluster.local:8080/acme/chall/<challenge ID>
 +
      Token:    <token>
 +
      Type:      http-01
 +
      URL:      http://acme.default.svc.cluster.local:8080/acme/chall/<challenge ID>
 +
    ...
 
</pre>
 
</pre>
  
Line 100: Line 134:
  
 
<pre>
 
<pre>
$ oc delete cert/acme-cert -n cert-manager
+
$ oc delete cert acme-cert
 
</pre>
 
</pre>
  
Line 106: Line 140:
  
 
<pre>
 
<pre>
$ oc delete clusterissuers/acme-responder
+
$ oc delete clusterissuer acme-issuer
 +
</pre>
 +
 
 +
= Troubleshooting =
 +
 
 +
<pre>
 +
$ oc logs -n cert-manager deploy/cert-manager -f
 
</pre>
 
</pre>
  
Line 112: Line 152:
  
 
* [[OpenShift]]
 
* [[OpenShift]]
 +
* [[OpenShift 4 CodeReady Containers]]
 
* [https://github.com/jetstack/cert-manager OpenShift cert-manager]
 
* [https://github.com/jetstack/cert-manager OpenShift cert-manager]
 
* [https://docs.cert-manager.io/en/latest/getting-started/install/openshift.html Installing on OpenShift]
 
* [https://docs.cert-manager.io/en/latest/getting-started/install/openshift.html Installing on OpenShift]
* [https://github.com/jetstack/cert-manager/pull/1648 Add support for ACMEv2 POST-as-GET]
 
 
* [https://cert-manager.io/docs/configuration/acme/ cert-manager ACME]
 
* [https://cert-manager.io/docs/configuration/acme/ cert-manager ACME]
* [https://cert-manager.io/docs/configuration/acme/http01/ cert-manager ACME HTTP01]
+
* [https://cert-manager.io/docs/tutorials/acme/http-validation/ cert-manager HTTP Validation]
 +
* [https://cert-manager.io/docs/tutorials/acme/dns-validation/ cert-manager DNS Validation]
 +
* [https://cert-manager.io/docs/tutorials/acme/ingress/ Securing NGINX-ingress]
 +
* [[K3s]]
 +
* [https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes How to Set Up an Nginx Ingress with Cert-Manager on DigitalOcean Kubernetes]

Latest revision as of 01:16, 31 March 2020

Authentication

To authenticate as system:admin:

$ oc login -u system:admin

To authenticate as kubeadmin:

$ oc login -u kubeadmin -p <password> https://api.crc.testing:6443

Installing cert-manager

To install cert-manager:

$ oc create namespace cert-manager
$ oc apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.0/cert-manager.yaml

To verify the installation:

$ oc get pods -n cert-manager
NAME                                       READY     STATUS    RESTARTS   AGE
cert-manager-57cdd66b-ws6nc                1/1       Running   0          30s
cert-manager-cainjector-79f4496665-k7cbz   1/1       Running   0          30s
cert-manager-webhook-6d57dbf4f-dvqml       1/1       Running   0          30s

Creating ACME Issuer

To create an issuer, prepare the following file (e.g. acme.yaml):

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: acme-issuer
spec:
  acme:
    email: admin@example.com
    server: https://acme.demo.dogtagpki.org/acme/directory
    privateKeySecretRef:
      name: acme-issuer-account-key
    solvers:
    - http01:
       ingress:
         class: nginx

Then execute the following command:

$ oc create -f acme-issuer.yaml

Verify with the following command:

$ oc describe clusterissuers acme-issuer
    ...
    Message:               The ACME account was registered with the ACME server
    Reason:                ACMEAccountRegistered
    ...

To delete the issuer:

$ oc delete clusterissuers acme-issuer
$ oc delete secret acme-issuer-account-key -n cert-manager

Creating ACME Certificate

Prepare a Certificate configuration (e.g. acme-cert.yaml):

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: acme-cert
spec:
  secretName: acme-cert-tls
  dnsNames:
  - www.example.com
  issuerRef:
    name: acme-issuer
    kind: ClusterIssuer

Then execute the following command:

$ oc create -f acme-cert.yaml

To check the certificate status:

$ oc describe certificate acme-cert
    ...
    Message:               Waiting for CertificateRequest "acme-cert-<request>" to complete
    Reason:                InProgress
    ...

To check the certificate request status:

$ oc describe certificaterequest acme-cert-<request>

To check the order status:

$ oc describe order acme-cert-<order>
    ...
    Challenges:
      Token:     <token>
      Type:      dns-01
      URL:       http://acme.default.svc.cluster.local:8080/acme/chall/<challenge ID>
      Token:     <token>
      Type:      http-01
      URL:       http://acme.default.svc.cluster.local:8080/acme/chall/<challenge ID>
    ...

Deleting ACME Certificate

$ oc delete cert acme-cert

Deleting ACME Issuer

$ oc delete clusterissuer acme-issuer

Troubleshooting

$ oc logs -n cert-manager deploy/cert-manager -f

See Also