[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Let's Encrypt certificates



Hi Tim,

On Mon, 2017-09-04 at 09:16 +0100, Tim Dudgeon wrote:
> Tomas
> 
> Thanks for that. Looks very interesting.
> 
> I've looked it over and not totally sure how to use this.
> 
> Am I right that if this controller is deployed and running correctly 
> then all you need to do for any routes is add the 
> 'kubernetes.io/tls-acme: "true"' annotation to your route  and the 
> controller will handle creating the initial certificate and renewing
> it 
> as needed?
Correct.

> 
> And in doing so it will generate/renew certificate for the hostname, 
> add/update it as a secret, and update the route definition to use
> that 
> certificate?
For Routes it will generate a secret with that certificate and also
inline it into the Route as it doesn't support referencing it.
(Ingresses do, but the project doesn't support those yet.) The secret
can be useful for checking or mounting it into pods directly if you
don't want to terminate your TLS in the router but in pods.

> 
> And that this will only apply to external routes. Some mechanism,
> such 
> as the Ansible playbook, will still be required to maintain the 
> certificates that are used internally by the Openshift
> infrastructure?
I have some thoughts on this but no code :/

As I said at this point you need to bootstrap the infra using your own
CA/self-signed cert and then you can expose the OpenShift API + web
console using a Route. This should work fine even for 'oc' client
unless the Router is down and you need to fix it. For that rare case,
when only the admin will need to log in to fix the router he can use
the internal cert or ssh into the cluster directly.

So this hack should cover all the use cases for users except this
special case for an admin.

> 
> Thanks
> Tim
> 
> On 25/08/2017 17:09, Tomas Nozicka wrote:
> > Hi Tim,
> > 
> > there is a controller to take care about generating and renewing
> > Let's
> > Encrypt certificates for you.
> > 
> > https://github.com/tnozicka/openshift-acme
> > 
> > That said it won't generate it for masters but you can expose
> > master
> > API using Route and certificate for that Route would be fully
> > managed
> > by openshift-acme.
> > 
> > Further integrations might be possible in future but this is how
> > you
> > can get it done now.
> > 
> > Regards,
> > Tomas
> > 
> > 
> > On Fri, 2017-08-25 at 16:27 +0100, Tim Dudgeon wrote:
> > > Does anyone have any experience on how best to use Let' Encrypt
> > > certificates for an OpenShift Origin cluster?
> > > 
> > > In once sense this is simple. The Ansible installer can be
> > > specified
> > > to
> > > use this custom certificate and key to sign all the certificates
> > > it
> > > generates, and doing so ensures you don't get the dreaded "This
> > > site
> > > is
> > > insecure" messages from your browser. And there is a playbook for
> > > updating certificates (which is essential as Let' Encrypt
> > > certificates
> > > are short lived) so this must be automated.
> > > 
> > > But how best to set this up and automate the certificate
> > > generation
> > > and
> > > renewal?
> > > 
> > > Let's assume Ansible is being run from a separate machine that is
> > > not
> > > part of the cluster and needs to deploy those custom certificates
> > > to
> > > the
> > > master(s). The certificate needs to be present on the ansible
> > > machine
> > > but needs to apply to the master(s) (or load balancer?). So you
> > > can't
> > > just generate the certificate on the ansible machine (e.g. using
> > > --standalone option for certbot) as it would not be for the right
> > > machine.
> > > 
> > > Similarly it doesn't seem right to request and update the
> > > certificates
> > > on the master (which master in the case of multiple masters?),
> > > and
> > > those
> > > certificates need to be present on the ansible machine.
> > > 
> > > Seems like the answer might be to run a process on the ansible
> > > machine
> > > that requests the certificates using the webroot plugin and in
> > > doing
> > > so
> > > places the magical key that is used to verify ownership of the
> > > domain
> > > under the https://your.site.com/.well-known/acme-challenge
> > > location?
> > > But
> > > how to go about doing this? Ports 80 and 443 seem to be in use on
> > > the
> > > cluster, but not serving up any particular content. How to place
> > > the
> > > content there?
> > > 
> > > I'm hoping others have already needed to handle this problem and
> > > can
> > > point to some best practice.
> > > 
> > > Thanks
> > > Tim
> > > 
> > > 
> > > _______________________________________________
> > > users mailing list
> > > users lists openshift redhat com
> > > http://lists.openshift.redhat.com/openshiftmm/listinfo/users
> 
> 



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]