Configure Certificates on OpenShift

How to Install and Configure Certificates on OpenShift: A Step-by-Step Guide

AKSHAY SIV's photo
AKSHAY SIV
·

3 min read

In today’s secure computing environments, properly configuring SSL/TLS certificates is critical for ensuring secure communication between clients and your OpenShift cluster. Whether you're setting up a new certificate or replacing an existing one, this guide will walk you through the process of installing and configuring certificates on OpenShift.

Prerequisites

Before starting, ensure you have the following:

  1. Access to the OpenShift cluster with administrative privileges.

  2. The certificate file (e.g., original_cert_from_site.pem) and its corresponding private key (e.g., s390cluster1_4096.key).

  3. The openssl and oc (OpenShift CLI) tools installed on your local machine.

Step 1: Prepare the Certificate File

If your certificate file does not include the full certificate chain (e.g., intermediate and root CA certificates), you can use openssl to extract and combine them into a single file.

Run the following command to extract and combine the certificates:

openssl pkcs7 -print_certs -in original_cert_from_site.pem -out myNewRealCertIncludingCAcerts.pem

This command will create a new file (myNewRealCertIncludingCAcerts.pem) that includes the full certificate chain.

Step 2: Delete the Existing Secret (if applicable)

If you are replacing an existing certificate, you’ll need to delete the current secret in the openshift-ingress namespace. Use the following command to delete the secret:

oc delete secret -n openshift-ingress ingress-cert --ignore-not-found=true

The --ignore-not-found=true flag ensures that the command does not fail if the secret does not already exist.

Step 3: Create a New TLS Secret

Next, create a new TLS secret using your certificate and private key. Replace s390xCAcerts.pem and s390cluster1_4096.key with the paths to your certificate and key files, respectively.

Run the following command:

oc create secret tls ingress-cert \
  --cert=s390xCAcerts.pem \
  --key=s390cluster1_4096.key \
  -n openshift-ingress

This command creates a new secret named ingress-cert in the openshift-ingress namespace.

Step 4: Patch the Ingress Controller

Finally, update the default ingress controller to use the new certificate. This step ensures that all incoming traffic to your OpenShift cluster is secured with the new certificate.

Run the following command:

oc patch ingresscontroller.operator default \
  --type=merge -p \
  '{"spec":{"defaultCertificate": {"name": "ingress-cert"}}}' \
  -n openshift-ingress-operator

This command patches the default ingress controller to reference the ingress-cert secret you created in the previous step.

Step 5: Verify the Configuration

To verify that the certificate has been applied successfully:

  1. Open the OpenShift web console or access your cluster via the CLI.

  2. Navigate to the openshift-ingress namespace and check the ingress-cert secret to ensure it contains the correct certificate and key.

  3. Use a browser or a tool like openssl to confirm that the certificate is being served correctly:

     openssl s_client -connect <your-cluster-domain>:443 -showcerts

Troubleshooting Tips

  • Certificate Not Applied: If the certificate is not applied, ensure that the secret name (ingress-cert) matches the name specified in the ingress controller patch.

  • Expired or Invalid Certificate: Double-check the certificate’s validity period and ensure it includes the full certificate chain.

  • Permission Issues: Ensure you have the necessary permissions to create secrets and patch the ingress controller.

Conclusion

Configuring certificates on OpenShift is a straightforward process when you follow these steps. By preparing your certificate file, creating a TLS secret, and updating the ingress controller, you can ensure secure communication for your OpenShift cluster. Whether you're setting up a new cluster or renewing an existing certificate, this guide provides a reliable approach to certificate management.

For more advanced configurations, refer to the OpenShift documentation. Happy securing! 🚀

Pro Tip: Automate this process using Ansible or other automation tools to streamline certificate management across multiple clusters.

openshiftCertificates