As of today, HTTPS is the default for the OpenShift master, the
OpenShift command-line client, and the OpenShift web console.
When running in HTTPS, "openshift start" now does the following:
1. Generates a certificate authority
2. Creates a self-signed certificate for the API server
3. Creates client certificates for system components to use when
communicating with the API
4. Creates client certificates and a .kubeconfig file for an admin
The generated certificates are placed under
"openshift.local.certificates" (changeable using the "--cert-dir"
Why is this awesome?
It makes sure we have the wiring in place for all parts of the
system to be able to speak securely to each other, and lets us start
turning on authentication and authorization
How do I access the OpenShift master?
The default url is now https://
<ip>:8443 (available locally as
Why does osc, curl, my web browser, and <my favorite tool>
complain about SSL certificates
"openshift start" creates a certificate to serve on https. API
clients need to include the root certificate bundle in the list of
trusted certs. This is located in $CERT_DIR/master/root.crt
1. To get your browser working:
- add an exception to trust the generated certificate the first time
you access the master.
2. To get osc working:
- Preferred: use the generated admin user by passing
--kubeconfig=$CERT_DIR/admin/.kubeconfig or setting
KUBECONFIG=$CERT_DIR/admin/.kubeconfig (make sure you have read
access to the files under $CERT_DIR/admin)
- Acceptable: pass
- Bad (don't get used to doing this): pass
3. To get curl working:
- Preferred: pass "--cacert $CERT_DIR/master/root.crt" or set
- Bad (don't get used to doing this): pass "--insecure"
How do I go back to HTTP?
Why would you even ask that? You're making the EFF cry :-(
If you really need to, you can do the following to get the old
default behaviour back:
openshift start: pass "--master=http://:8080
osc: pass "--server=http://localhost:8080
Do the tests use HTTPS?
Yes, when running tests (test-end-to-end.sh, test-cmd.sh, etc), the
defaults for scheme and port are "https" and "8443", respectively.
Set the environment variables API_SCHEME and API_PORT to override
If you have any questions, or run into issues, please let me know.