Skip to content

Instantly share code, notes, and snippets.

@dmi3mis

dmi3mis/ClusterIssuer.yaml

Last active May 13, 2022 10:36
Show Gist options
  • Save dmi3mis/e7fcc21d7373b31e88d80ed2d88c41f7 to your computer and use it in GitHub Desktop.
Save dmi3mis/e7fcc21d7373b31e88d80ed2d88c41f7 to your computer and use it in GitHub Desktop.
Download ZIP
Using jetstack cert-manager ingress and routes in openshift
Raw
api-cert.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: api-cert
namespace: cert-manager
spec:
secretName: api-cert
duration: 2160h
renewBefore: 360h
issuerRef:
kind: ClusterIssuer
name: clusterissuer
secretTemplate:
annotations:
replicator.v1.mittwald.de/replicate-to: "openshift-config"
dnsNames:
- "api.ocp4.${DNSDOMAIN}"
Raw
apps-cert.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: apps-cert
namespace: cert-manager
spec:
secretName: apps-cert
duration: 2160h
renewBefore: 360h
issuerRef:
kind: ClusterIssuer
name: clusterissuer
secretTemplate:
annotations:
replicator.v1.mittwald.de/replicate-to: "openshift-ingress"
dnsNames:
- "*.apps.ocp4.${DNSDOMAIN}"
Raw
ClusterIssuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: clusterissuer
spec:
acme:
email: [email protected]
# server: https://acme-v02.api.letsencrypt.org/directory
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: cluster-issuer-account-key
solvers:
- dns01:
rfc2136:
nameserver: 10.78.11.130:53
tsigKeyName: ${DNSDOMAIN}-key
tsigAlgorithm: HMACSHA256
tsigSecretSecretRef:
name: tsig-secret
key: tsig-secret-key
Raw
helloingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
# add an annotation indicating the issuer to use.
cert-manager.io/issuer: issuer
name: hello
spec:
rules:
- host: site.company.com
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: hello
port:
number: 8080
tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
- hosts:
- site.company.com
- www.site.company.com
secretName: hello-ingress-cert
Raw
openshift and cert-manager dns01 rfc2136 example
#Commands to start DNS master server and apply and configure cert-manager with kubernetes-replicator
# Can be used for for rfc2136 DNS01 solver https://cert-manager.io/docs/configuration/acme/dns01/rfc2136/
# Lets run bind9 dns server in a container from https://github.com/sameersbn/docker-bind
# http://www.damagehead.com/blog/2015/04/28/deploying-a-dns-server-using-docker/
# YourExternal IP is
EXTERNALIP=123.123.123.123
# Public dns domain zone is
DNS=example.com
# example works on Centos Stream
mkdir ${PWD}/data
chmod +w ${PWD}/data
chcon -t container_file_t -R -v ${PWD}/data
# YourPublic IP is
PUBLICIP=123.123.123.123
# Public dns domain zone is
DNSDOMAIN=example.com
podman run --name dns -d \
--publish ${EXTERNALIP}:53:53/tcp \
--publish ${EXTERNALIP}:53:53/udp \
--publish ${EXTERNALIP}:10000:10000/tcp \
--env ROOT_PASSWORD=mysecretpassword \
--volume ${PWD}/data:/data:Z \
sameersbn/bind
# https://www.zytrax.com/books/dns/ch7/xfer.html#allow-update
cat << EOT > ${PWD}/data/bind/etc/named.conf.local
zone "${DNSDOMAIN}" {
type master;
file "/var/lib/bind/${DNSDOMAIN}.hosts";
check-names warn;
allow-query { any; };
allow-update { key ${DNSDOMAIN}; };
};
EOT
rndc-confgen -k ${DNSDOMAIN} -A HMAC-SHA256 -b 256 |sed -n '2,5'p |tee ${PWD}/data/bind/etc/${DNSDOMAIN}.key
key "${DNSDOMAIN}" {
algorithm hmac-sha256;
secret "49s7v4ruY9YeQe01R1+oGL6p89goQKN/K28r740xTmI=";
};
cat << EOT >> ${PWD}/data/bind/etc/named.conf
include "/etc/bind/${DNSDOMAIN}.key";
include "/etc/bind/named.conf.local";
EOT
mkdir -p ${PWD}/data/bind/lib
cat << EOT >> ${PWD}/data/bind/lib/${DNSDOMAIN}.hosts
${DNSDOMAIN}. 3600 IN SOA ns1.${DNSDOMAIN}. root.${DNSDOMAIN}. 23 3600 300 2419200 300
${DNSDOMAIN}. 3600 IN NS ns1.${DNSDOMAIN}.
${DNSDOMAIN}. 3600 IN NS ns2.${DNSDOMAIN}.
ns1.${DNSDOMAIN}. 3600 IN A ${PUBLICIP}
ns2.${DNSDOMAIN}. 3600 IN A ${PUBLICIP}
api.ocp4.${DNSDOMAIN}. 3600 IN A ${PUBLICIP}
*.apps.ocp4.${DNSDOMAIN}. 3600 IN A ${PUBLICIP}
${DNSDOMAIN}. 3600 IN A ${PUBLICIP}
EOT
chown 101:101 -R ${PWD}/data
chmod 775 -R ${PWD}/data
podman restart dns
firewall-cmd --add-service=dns --zone=public --permanent
firewall-cmd --reload
# test dns rfc2136 dynamic update
nsupdate -k ${PWD}/data/bind/etc/${DNSDOMAIN}.key
server ${EXTERNALIP}
update add testhost.${DNSDOMAIN} 60 A 123.123.123.123
send
# ... test it with dig
# ... dig -t A +short testhost.${DNSDOMAIN} "
# ... 123.123.123.123
update delete testhost.${DNSDOMAIN} A
send
# Now our authoritative dns server works with dynamic update
# Try to check and configure dns server with webmin web interface
firefox https://${EXTERNALIP}:10000
login: root
pass: mysecretpassword
oc login -u kubeadmin -p kubeadminpass https://api.ocp4.${DNSDOMAIN}:6443
# First of all lets install cert-manager application
oc create namespace cert-manager
oc project cert-manager
oc apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.yaml -n cert-manager
# Lets install https://github.com/mittwald/kubernetes-replicator
# It will helps us to replicate certificate secrets from one namespace to another
# We will create certificate secrets in cert-manager namespace,
# then kubernetes-replicator will copy api-cert and apps-cert secrets
# to openshift-config and openshift-ingress namespaces
# Create roles and service accounts
kubectl apply -f https://raw.githubusercontent.com/mittwald/kubernetes-replicator/master/deploy/rbac.yaml
# Create actual deployment
kubectl apply -f https://raw.githubusercontent.com/mittwald/kubernetes-replicator/master/deploy/deployment.yaml
SECRET=$(cat ~/${DNSDOMAIN}.key |sed -n '3'p|cut -d" " -f 2)
SECRET_cutted=${SECRET:1:-2}
oc create secret generic tsig-secret --from-literal=tsig-secret-key=${SECRET_cutted} -n cert-manager
oc apply -f ClusterIssuer.yaml
oc apply -f apps-cert.yaml
oc apply -f api-cert.yaml
watch oc get clusterissuer,certificate,certificaterequests.cert-manager.io,order,challenge,pod,ingress,route
oc patch ingresscontroller.operator default --type=merge -p '{"spec":{"defaultCertificate": {"name": "apps-cert"}}}' -n openshift-ingress-operator
oc patch apiserver cluster --type=merge -p "{\"spec\":{\"servingCerts\": {\"namedCertificates\": [{\"names": \[\"api.ocp4.${DNSDOMAIN}\"\],\"servingCertificate\": {\"name\": \"api-cert\"}}]}}}"
oc patch apiserver cluster --type=merge -p "{\"spec\":{\"servingCerts\": {\"namedCertificates\": [{\"names": \[\"api.ocp4.nexml.online\"\], \"servingCertificate\": {\"name\": \"api-cert\"}}]}}}"
Raw
testsite-cert-example.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: testsite-cert
spec:
secretName: testsite-cert
duration: 2160h
renewBefore: 360h
issuerRef:
kind: ClusterIssuer
name: clusterissuer
secretTemplate:
annotations:
replicator.v1.mittwald.de/replicate-to: "namespace1,namespace2"
dnsNames:
- testsite.apps.ocp4.${DNSDOMAIN}
- www.testsite.apps.ocp4.${DNSDOMAIN}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment