openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
cef577401311e24b1b88fcc46f31e8fbbd99a894
openshift-docs/modules/serverless-ossm-external-certs.adoc
Kathryn Alexander 90d985a0bb [enterprise-4.14] changing content type attribute
2023-10-30 10:13:25 -04:00

65 lines
2.2 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * /serverless/integrations/serverless-ossm-setup.adoc
:_mod-docs-content-type: PROCEDURE
[id="serverlesss-ossm-external-certs_{context}"]
= Creating a certificate to encrypt incoming external traffic
By default, the {SMProductShortName} mTLS feature only secures traffic inside of the {SMProductShortName} itself, between the ingress gateway and individual pods that have sidecars. To encrypt traffic as it flows into the {product-title} cluster, you must generate a certificate before you enable the {ServerlessProductName} and {SMProductShortName} integration.
.Prerequisites
ifdef::openshift-enterprise[]
* You have access to an {product-title} account with cluster administrator access.
endif::[]
ifdef::openshift-dedicated,openshift-rosa[]
* You have access to an {product-title} account with cluster or dedicated administrator access.
endif::[]
* You have installed the {ServerlessOperatorName} and Knative Serving.
* Install the OpenShift CLI (`oc`).
* You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in {product-title}.
.Procedure
. Create a root certificate and private key that signs the certificates for your Knative services:
+
[source,terminal]
----
$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 \
-subj '/O=Example Inc./CN=example.com' \
-keyout root.key \
-out root.crt
----
. Create a wildcard certificate:
+
[source,terminal]
----
$ openssl req -nodes -newkey rsa:2048 \
-subj "/CN=*.apps.openshift.example.com/O=Example Inc." \
-keyout wildcard.key \
-out wildcard.csr
----
. Sign the wildcard certificate:
+
[source,terminal]
----
$ openssl x509 -req -days 365 -set_serial 0 \
-CA root.crt \
-CAkey root.key \
-in wildcard.csr \
-out wildcard.crt
----
. Create a secret by using the wildcard certificate:
+
[source,terminal]
----
$ oc create -n istio-system secret tls wildcard-certs \
--key=wildcard.key \
--cert=wildcard.crt
----
+
This certificate is picked up by the gateways created when you integrate {ServerlessProductName} with {SMProductShortName}, so that the ingress gateway serves traffic with this certificate.
View Git Blame Copy Permalink