I'm very interested in this as well, as I'd like to
use it in classes I'm teaching on OpenShift.
Let's keep a very strict separation between types of
traffic. There's the traffic between nodes (kubelet,) master
API servers, and components such as logging and metrics.
That's on the *.internal domain managed by the SkyDNS server
on the masters. The ansible variables openshift_master_ca_certificates, and the
playbooks redeploy-openshift-ca just
updates the CA certs on the masters, while redeploy-certificates.yml updates
everything, event the routers. So great care must be taken in
using ansible to manage your routers. I think "Let's Encrypt"
is less useful for all this private traffic, as OpenShift will
accept self-signed certs, as long as it can sign them itself
or with a provided CA or intermediary key.
Then there's public traffic managed under different DNS
services for the API, Routers, and other possible apps. THOSE
are the places were I think we'd be most interested in Let's