Comments (2)
I think this just requires a quick documentation note... we'll leave this out of terraform deployment and have a "Next Steps" or "What's next" section in the readme to focus on:
- Let's Encrypt certs
- CNV
- etc.
Currently testing with:
# Assumes TF_VAR_cluster_name, TF_VAR_* has been set
export CF_Key=$TF_VAR_cf_api_key
export CF_Email=$TF_VAR_cf_email
curl https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh | bash -s -- --issue --dns dns_cf -d "api.${TF_VAR_cluster_name}.${TF_VAR_cluster_basedomain}" -d "*.apps.${TF_VAR_cluster_name}.${TF_VAR_cluster_basedomain}"
EDIT:
Not sure why, but I could not get this to work without installing acme.sh ... I inevitably "installed" it via:
curl https://get.acme.sh | sh
and then executed the following to issue my cert:
/root/.acme.sh/acme.sh --issue --debug 2 --dns dns_cf -d "shifti.us" -d "api.${TF_VAR_cluster_name}.${TF_VAR_cluster_basedomain}" -d "*.apps.${TF_VAR_cluster_name}.${TF_VAR_cluster_basedomain}" --log
Which worked fine:
[Mon Jun 1 21:10:02 EDT 2020] Your cert is in /root/.acme.sh/shifti.us/shifti.us.cer
[Mon Jun 1 21:10:02 EDT 2020] Your cert key is in /root/.acme.sh/shifti.us/shifti.us.key
[Mon Jun 1 21:10:02 EDT 2020] v2 chain.
[Mon Jun 1 21:10:02 EDT 2020] The intermediate CA cert is in /root/.acme.sh/shifti.us/ca.cer
[Mon Jun 1 21:10:02 EDT 2020] And the full chain certs is there: /root/.acme.sh/shifti.us/fullchain.cer
Snippet to update ingress controller/router cert still to come.
from terraform-packet-openshift.
The original article decoupled this better from TF_VARs that might be set. So the TL;DR version:
export KUBECONFIG="<output from tf>"
export CF_Key=$TF_VAR_cf_api_key
export CF_Email=$TF_VAR_cf_email
export LE_API=$(oc whoami --show-server | cut -f 2 -d ':' | cut -f 3 -d '/' | sed 's/-api././')
export LE_WILDCARD=$(oc get ingresscontroller default -n openshift-ingress-operator -o jsonpath='{.status.domain}')
export CERTDIR=$HOME/certificates
# Install acme.sh
curl https://get.acme.sh | sh
# Request certificate with dns_cf
$HOME/.acme.sh/acme.sh --issue -d ${LE_API} -d *.${LE_WILDCARD} --dns dns_cf
# Install certificate
mkdir -p ${CERTDIR}
$HOME/.acme.sh/acme.sh --install-cert -d ${LE_API} -d *.${LE_WILDCARD} --cert-file ${CERTDIR}/cert.pem --key-file ${CERTDIR}/key.pem --fullchain-file ${CERTDIR}/fullchain.pem --ca-file ${CERTDIR}/ca.cer
# Create router-certs secret and update ingresscontroller to use new cert(s)
oc create secret tls router-certs --cert=${CERTDIR}/fullchain.pem --key=${CERTDIR}/key.pem -n openshift-ingress
oc patch ingresscontroller default -n openshift-ingress-operator --type=merge --patch='{"spec": { "defaultCertificate": { "name": "router-certs" }}}'
from terraform-packet-openshift.
Related Issues (20)
- Document targeted bootstrap node cleanup HOT 3
- Configure nginx to listen on non-default port for ignition/ipxe
- Auto-approve "Pending" CSRs before install completes HOT 2
- Enable deployment from macOS by adding to vars.tf HOT 3
- Add variable bearer token for pullSecret generation HOT 1
- Add support for NFS storage provisioner HOT 2
- Document/automate deploy OpenShift Virtualization Operator HOT 3
- Use node IPs for NFS exports
- Optional Components HOT 1
- Document deploy of OpenShift Container Storage (OCS) HOT 1
- Document (re)deploy of registry via operator patch HOT 1
- Host installer artifacts on bastion HOT 1
- Enable HA for loadbalancer HOT 1
- Add documentation for cluster scale-up HOT 1
- Update OCP release to 4.5 HOT 1
- Document OpenShift API token generation
- Support 3-node clusters with OpenShift 4.5
- Publish this module in the Terraform registry HOT 1
- Uniform Standards Request: Experimental Repository
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-packet-openshift.