We have lot of services deployed on OpenShift, each service has a unique route.

Currently we are creating SSL Certificate using OpenSSL and specifying the .key and .cer in the YAML file.

Maintaining these many certificates is hard and if we have to change the certificate after expiry we have to update all the YAML files

Is there a way to create a secret and use that in place of .cer and key in the route yaml file ?

CodePudding user response：

You can use the cert-manager

The Cert-manager will take off the certificate and auto renew the secret whenever it is expiring.

You can create a self signed cert with CA also.

apiVersion: v1
kind: Namespace
metadata:
  name: sandbox
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-issuer
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-selfsigned-ca
  namespace: sandbox
spec:
  isCA: true
  commonName: my-selfsigned-ca
  secretName: root-secret
  privateKey:
    algorithm: ECDSA
    size: 256
  issuerRef:
    name: selfsigned-issuer
    kind: ClusterIssuer
    group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: my-ca-issuer
  namespace: sandbox
spec:
  ca:
    secretName: root-secret 

Ref : https://cert-manager.io/docs/configuration/selfsigned/

CodePudding user response：

There is an operator names ingress-operator in OpenShift, you only need to specify SSL in this ingress controller pod instead of all pods.

1. oc create secret tls <secret_name> --cert=<cert_name_PEM> --key=<cert_key> -n openshift-ingress

2. oc patch ingresscontroller default -n openshift-ingress-operator --type=merge --patch='{"spec": { "defaultCertificate": { "name": “<secret_name>” }}}'