Configuring OpenShift Routes¶
Once you have installed OpenShift Routes , you need to configure it to get a certificate for OpenShift routes from a cert-manager Issuer or ClusterIssuer.
Configuration requires three steps:
- Configure an issuer.
- Update your DNS records.
- Annotate the routes.
Prerequisites¶
- You have cert-manager and OpenShift Routes installed in the same namespace. By default, this is in the
venafinamespace.
Step 1: Configure an issuer¶
-
You can use either a ClusterIssuer or a namespace-based Issuer. The following example creates a Issuer. We will use a self-signed CA for this example. In production, use a Venafi(Cluster)Issuer instead.
my-ca-issuer.yamlapiVersion: v1 kind: Namespace metadata: name: demo --- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: selfsigned-issuer namespace: demo spec: selfSigned: {} --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: my-ca-cert namespace: demo spec: isCA: true commonName: my-ca secretName: my-ca-secret privateKey: algorithm: ECDSA size: 256 issuerRef: name: selfsigned-issuer kind: Issuer group: cert-manager.io --- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: my-ca-issuer namespace: demo spec: ca: secretName: my-ca-secret -
Apply
my-ca-issuer.yaml:oc apply -f my-ca-issuer.yaml
Step 2: Create an annotated route¶
-
If you used the example Issuer above, you can now use the following annotations:
apiVersion: route.openshift.io/v1 kind: Route metadata: name: example-route namespace: demo annotations: cert-manager.io/issuer-group: cert-manager.io cert-manager.io/issuer-kind: Issuer cert-manager.io/issuer-name: my-ca-issuer spec: host: app.service.clustername.domain.com -
You can now annotate your routes:
apiVersion: route.openshift.io/v1 kind: Route metadata: name: example-route namespace: demo annotations: cert-manager.io/issuer-name: my-issuer # This is the only required annotation. cert-manager.io/issuer-group: cert-manager.io # Optional, defaults to cert-manager.io. cert-manager.io/issuer-kind: Issuer # Optional, defaults to Issuer. Other options are ClusterIssuer or an External Issuer cert-manager.io/duration: 1h # Optional, defaults to 90 days cert-manager.io/renew-before: 30m # Optional, defaults to 1/3 of total certificate duration. cert-manager.io/common-name: "My Certificate" # Optional, no default. cert-manager.io/alt-names: "mycooldomain.com,mysecondarydomain.com" # Optional, no default. cert-manager.io/ip-sans: "10.20.30.40,192.168.192.168" # Optional, no default. cert-manager.io/uri-sans: "spiffe://trustdomain/workload" # Optional, no default. cert-manager.io/private-key-algorithm: "ECDSA" # Optional, defaults to RSA. cert-manager.io/private-key-size: "384" # Optional, defaults to 265 for ECDSA and 2048 for RSA. cert-manager.io/email-sans: "me@example.com,you@example.com" # Optional, no default. cert-manager.io/subject-organizations: "company" # Optional, no default. cert-manager.io/subject-organizationalunits: "company division" # Optional, no default. cert-manager.io/subject-countries: "My Country" # Optional, no default. cert-manager.io/subject-provinces: "My Province" # Optional, no default. cert-manager.io/subject-localities: "My City" # Optional, no default. cert-manager.io/subject-postalcodes: "123ABC" # Optional, no default. cert-manager.io/subject-streetaddresses: "1 Example St" # Optional, no default. cert-manager.io/subject-serialnumber: "123456" # Optional, no default. spec: host: app.service.clustername.domain.com # Will be added to the Subject Alternative Names of the CertificateRequest. port: targetPort: 8080 to: kind: Service name: hello-openshift -
You should now be able to observe the
route.Spec.TLSsection of your route being populated automatically by cert-manager.The route's TLS certificate will be rotated two-thirds of the way through the certificate's lifetime, or the
cert-manager.io/renew-beforetime, before it expires.You should also be able now to call the website:
https://app.service.clustername.domain.com. This will be served by the route with a certificate signed by the CA you created in step 1.