OpenShift cert-manager

From Dogtag
Revision as of 01:28, 15 January 2020 by Edewata (talk | contribs) (See Also)

Jump to: navigation, search

Authentication

To authenticate as system:admin:

$ oc login -u system:admin

To authenticate as kubeadmin:

$ oc login -u kubeadmin -p <password> https://api.crc.testing:6443

Installing cert-manager

$ oc create namespace cert-manager
$ oc apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.12.0/cert-manager-openshift.yaml

Creating ACME Issuer

Prepare the following file (e.g. acme-responder.yaml):

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: acme-responder
spec:
  acme:
    email: admin@example.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: acme-responder
    solvers:
    - http01:
       ingress:
         class: nginx

Then execute the following command:

$ oc create -f acme-responder.yaml

Verify with the following command:

$ oc describe clusterissuers/acme-responder

Creating ACME Certificate

Prepare a Certificate configuration (e.g. letsencrypt-cert.yaml):

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: acme-cert
  namespace: cert-manager
spec:
  secretName: acme-cert-tls
  duration: 2160h
  renewBefore: 360h
  organization:
  - dogtagpki
  isCA: false
  keySize: 2048
  keyAlgorithm: rsa
  keyEncoding: pkcs1
  usages:
    - server auth
    - client auth
  dnsNames:
  - example.com
  - www.example.com
  issuerRef:
    name: acme-responder
    kind: ClusterIssuer

Then execute the following command:

$ oc create -f acme-cert.yaml

To check the certificate status:

$ oc describe -n cert-manager cert/acme-cert

To check the order status:

$ oc describe order -n cert-manager acme-cert-<order>

Deleting ACME Certificate

$ oc delete -n cert-manager cert/acme-cert

Deleting ACME Issuer

$ oc delete clusterissuers/acme-responder

Troubleshooting

$ oc logs -n cert-manager deploy/cert-manager -f

See Also