OpenShift Application Certificate Management with Let’s Encrypt

OpenShift-LogoType.svgplus_signle-logo-twitter-noalpha

Overview

In this short article we will look at a solution for application certificates in OpenShift. Let’s Encrypt is a non-profit certificate authority and provides easy on-demand TLS certificates. Each application you create that you want to expose to users will of course have it’s own URL and require a TLS certificate. It can be quite tedious to manage these certificates and deploy them manually. Kubernetes platforms also require an innovative, built-in native approach to properly mitigate complexity.

Thankfully a fellow RHatter (Tomáš Nožička) has created a k8s admission controller that integrates with let’s encrypt. A k8s admission controller is a pattern for extending kubernetes platform capabilities by reacting to API events in real-time.  In this case the admission controller watches the route APIs. If a new route is added, plus has the right annotation, the admission controller will automatically register the route with Let’s Encrypt, wait for the certificate and finally configure the certificate automatically in the route.

Tomáš has provided the code and yaml for an easy deployment in the following Github repository: https://github.com/tnozicka/openshift-acme. While hee does provide documentation there are a few additional steps that need explanation when creating a route. I decided to as such put it all together in a simple concise post.

Configure Let’s Encrypt OpenShift Admission Controller

Here we will enable the k8s admission controller on the entire cluster but it is possible to limit the scope to individual namespaces. See Github repository for more information.

Create new project

$ oc new-project acme

Deploy Controller

$ oc apply -fhttps://raw.githubusercontent.com/tnozicka/openshift-acme/master/deploy/cluster-wide/{clusterrole,serviceaccount,issuer-letsencrypt-live,deployment}.yaml

Create Service Account and Role Binding

$ oc create clusterrolebinding openshift-acme --clusterrole=openshift-acme \
--serviceaccount="$( oc project -q ):openshift-acme" --dry-run -o yaml | \
oc apply -f -

Add Certificate to Application Route

Now that the k8s admission controller is deployed we will create a route. In OpenShift a route is how we expose a service to the outside world. Since we will provide a custom TLS certificate, route termination should be on the edge. As such we can use http from the router edge to the service.

Create Route

$ vi letsencrypt_route.yaml
kind: Route
apiVersion: route.openshift.io/v1
metadata:
  name: meet
  labels:
    app: jitsi
  annotations:
    openshift.io/host.generated: 'true'
    kubernetes.io/tls-acme: "true"
spec:
  host: meet-jitsi.apps.ocp4.keithtenzer.com
  to:
    kind: Service
    name: web
    weight: 100
  port:
    targetPort: http
  tls:
    termination: edge
  wildcardPolicy: None

Validate Route

As soon as the ACME admission controller sees a route with the annotation kubernetes.io/tls-acme: “true” it will register URL with Let’s Encrypt. A temporary route will be created so once the certificate is accepted it can be pulled down and added to route.

exposer

Once process completes the temporary exposer route is removed and the certificate and private key are added to the original route.

exposer_2

It’s that easy and you now have a valid certificate for your application in OpenShift.

Summary

In this article we showed how to setup application certificates in an OpenShift enviornment using a k8s admission controller. This solution also shows the value of a k8s admission controller being able to customize and adapt the environment to an organizations governance model.

(c) 2020 Keith Tenzer

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s