Introduction
In this post, we will replace OpenShift default ingress certificate. It’s no secret that the default certificates are not the most secure option out there. Default certificates are not known to the users’ browsers. That’s where custom certificates come in, offering a more robust and trust-building alternative.
At first we will create a root CA private key and CA certificate, then create a certificate request (CSR) for our default ingress and finally implement it to OpenShift.
Procedure
Self-signed root CA Certificate
Create the CA for 5 years:
$ openssl genrsa -out myCA.key 2048
$ openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pemDefault Ingress Certificate
Create the following file to support our ingress certificate request:
csr_answers.txt
[req]
default_bits = 4096
prompt = no
default_md = sha256
x509_extensions = req_ext
req_extensions = req_ext
distinguished_name = dn
[dn]
C = US
ST = New York
L = New York
O = MyOrg
OU = MyOU
emailAddress = me@working.me
CN = ingress
[req_ext]
subjectAltName = @alt_names
subjectKeyIdentifier = hash
#authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
[alt_names]
DNS.1 = *.apps.ocp.k8s.co.il
DNS.2 = ocp.k8s.co.il
DNS.3 = *.ocp.k8s.co.ilRun the command to create the certificate request:
$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout wildcard.apps.ocp.k8s.co.il.key -out wildcard.apps.ocp.k8s.co.il.csr -config <(cat csr_answers.txt)wildcard.ext
[ req_ext ]
subjectAltName = DNS:*.apps.ocp.k8s.co.il,DNS:ocp.k8s.co.il,DNS:*.ocp.k8s.co.il
subjectKeyIdentifier = hash
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEnciphermentNow let’s create the Certificate using this csr:
$ openssl x509 -req -in wildcard.apps.ocp.k8s.co.il.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -days 3650 -sha256 -out wildcard.apps.ocp.k8s.co.il.crt -extfile wildcard.ext -extensions req_extNow we can Go to the stage of implementing the certificates in our environment.
CA Certificate Configmap
Create a ConfigMap that includes the certificate authority used to signed the new certificate:
$ oc create configmap custom-ca \
--from-file=ca-bundle.crt=/path/to/myCA.pem \
-n openshift-configNOTE: You must type ca-bundle.crt in from-file=ca-bundle.crt
Update the cluster-wide proxy configuration with the newly created ConfigMap
$ oc patch proxy/cluster \
--type=merge \
--patch='{"spec":{"trustedCA":{"name":"custom-ca"}}}'NOTE: This will reboot your hosts , please be patient and check the status until everything is ready:
$ watch -d -n1 oc get coIngress Certificate Secret
Prepare the full-chain certificate for the wildcard:
$ cat wildcard.apps.ocp.k8s.co.il myCA.pem > fullchainwildcard.apps.ocp.k8s.co.il.pemCreate a secret that contains the wildcard certificate and key:
$ oc create secret tls fullchainwildcard.apps.ocp.k8s.co.il \
--cert=/path/to/fullchainwildcard.apps.ocp.k8s.co.il.pem \
--key=/path/to/wildcard.apps.ocp.k8s.co.il.key \
-n openshift-ingressReplace the Ingress Certificate
Update the Ingress Controller configuration with the newly created secret:
$ oc patch ingresscontroller.operator default \
--type=merge -p \
'{"spec":{"defaultCertificate": {"name": "fullchainwildcard.apps.ocp.k8s.co.il"}}}' \
-n openshift-ingress-operatorWait until the pods are replaced. You could monitor it using:
$ watch -d -n1 oc get pods -n openshift-ingressNOTE: This can take 10min or more. Be Patient.
Open a new browser incognito window and make sure you identify the Certificate:
Summary
Wrapping up, replacing the default ingress certificate in OpenShift is crucial for securing communication. In this post, I’ve guided you through the steps to achieve this essential task. You can do this to a SNO OpenShift or a fully fledge installation. At Octopus, we maintain for our customers a secure OpenShift environment, and are here to support you in implementing best practices that ensure the safety and reliability of your Kubernetes deployments.
