openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-06 06:46:26 +01:00
Code Issues Releases Activity
Files
eb21424e97d48118fd1ff8c8b4dff94de2dd3b1c
openshift-docs/modules/customize-certificates-replace-default-router.adoc
Andrea Hoffer fe42890538 Separating command and output for security book
2020-08-05 13:47:29 +00:00

76 lines
2.6 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * security/certificates/replacing-default-ingress-certificate.adoc
[id="replacing-default-ingress_{context}"]
= Replacing the default ingress certificate
You can replace the default ingress certificate for all
applications under the `.apps` subdomain. After you replace
the certificate, all applications, including the web console
and CLI, will have encryption provided by specified certificate.
.Prerequisites
* You must have a wildcard certificate for the fully qualified `.apps` subdomain
and its corresponding private key. Each should be in a separate PEM format file.
* The private key must be unencrypted. If your key is encrypted, decrypt it
before importing it into {product-title}.
* The certificate must include the `subjectAltName` extension showing
`*.apps.<clustername>.<domain>`.
* The certificate file can contain one or more certificates in a chain. The
wildcard certificate must be the first certificate in the file. It can then be
followed with any intermediate certificates, and the file should end with the
root CA certificate.
* Copy the root CA certificate into an additional PEM format file.
.Procedure
. Create a ConfigMap that includes only the root CA certificate used to sign the wildcard certificate:
+
[source,terminal]
----
$ oc create configmap custom-ca \
--from-file=ca-bundle.crt=</path/to/example-ca.crt> \//<1>
-n openshift-config
----
<1> `</path/to/example-ca.crt>` is the path to the root CA certificate file on your local file system.
. Update the cluster-wide proxy configuration with the newly created ConfigMap:
+
[source,terminal]
----
$ oc patch proxy/cluster \
--type=merge \
--patch='{"spec":{"trustedCA":{"name":"custom-ca"}}}'
----
. Create a secret that contains the wildcard certificate chain and key:
+
[source,terminal]
----
$ oc create secret tls <secret> \//<1>
--cert=</path/to/cert.crt> \//<2>
--key=</path/to/cert.key> \//<3>
-n openshift-ingress
----
<1> `<secret>` is the name of the secret that will contain the certificate chain
and private key.
<2> `</path/to/cert.crt>` is the path to the certificate chain on your local
file system.
<3> `</path/to/cert.key>` is the path to the private key associated
with this certificate.
. Update the Ingress Controller configuration with the newly created
secret:
+
[source,terminal]
----
$ oc patch ingresscontroller.operator default \
--type=merge -p \
'{"spec":{"defaultCertificate": {"name": "<secret>"}}}' \//<1>
-n openshift-ingress-operator
----
<1> Replace `<secret>` with the name used for the secret in
the previous step.
View Git Blame Copy Permalink