Paul Bastide

cert-manager Operator for Red Hat OpenShift v1.13

The IBM Power development team is happy to introduce cert-manager Operator for Red Hat OpenShift on Power. cert-manager is a “cluster-wide service that provides application certificate lifecycle management”. This service manages certfificates and integration with external certificate authorities using Automated Certificate Management Environment (ACME).

For v1.13, the release notes also tell you about the expanded support includes multiple architectures – AMD64, IBM Z® (s390x), IBM Power® (ppc64le) and ARM64 architectures.

This is exciting and I’ll give you a flavor of how to use the cert-manager with your OpenShift cluster. I’ll demonstrate how to use Let’s Encrypt for the HTTP01 challenge type and IBM Cloud Internet Services paired with Let’s Encrypt for the DNS01 challenge type.

This write up uses a 4.13 cluster on IBM PowerVS using ocp4-upi-powervs, the same steps apply to 4.14 and on-premises environments. To facilitate the HTTP01 challenge type, the IBM Cloud Services section is used:

### Using IBM Cloud Services
use_ibm_cloud_services     = true
ibm_cloud_vpc_name         = "rdr-cert-manager-vpc"
ibm_cloud_vpc_subnet_name  = "sn-20231206-01"
ibm_cloud_resource_group = "resource-group"
iaas_vpc_region           = "au-syd"               # if empty, will default to ibmcloud_region.
ibm_cloud_cis_crn         = "crn:v1:bluemix:public:internet-svcs:global:a/<account_id>:<cis_instance_id>::"
ibm_cloud_tgw             = "rdr-sec-certman"  # Name of existing Transit Gateway where VPC and PowerVS targets are already added.

This means you would have a CIS instance setup with a real domain linked. You would configure the IBM Cloud VPC to connect to the PowerVS workspace over a Transit Gateway. Ideally the connection uses the PER networking feature of PowerVS. This sets up a real hostname for the call back from Lets Encrypt and configures the Load Balancers which support port 80/443 traffic.

To setup the cert-manager, login to the Web Console as an administrator.

  1. Click on Operators > OperatorHub
  2. Filter on cert-manager
  3. Select cert-manager for Red Hat OpenShift
  4. Click Install using the namespace provided
  5. Wait a few minutes for it to install.

You now have a working cert-manager operator, and ready for the HTTP01 challenge type. For this, we switch to the commandline.

  1. Login via the commandline as a cluster-admin.
  2. Setup the letsencrypt-http01 Issuer
cat << EOF | oc apply -f -
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-http01
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - http01:
        ingress:
          class: openshift-default
EOF

Note, the above is a production letsencrypt, you could use staging. Be carefully how many certificates you create and what service you use, as there may be some rate limiting applied.

  1. Let’s create a certificate for my cluster which is hosted.
cat << EOF | oc apply -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cert-test-http01
spec:
  dnsNames:
  - testa.$(oc project --short).apps.cm-4a41.domain.name
  issuerRef:
    name: letsencrypt-http01
  secretName: cert-test-http01b-sec
EOF
  1. We can check the process using oc:
#  oc get certificate,certificaterequest,order
NAME                                         READY SECRET                AGE
certificate.cert-manager.io/cert-test-http01 True  cert-test-dns01-b-sec 48m

NAME                                                APPROVED DENIED READY ISSUER                                 REQUESTOR                                         AGE
certificaterequest.cert-manager.io/cert-test-http01 True            True  letsencrypt-prody                      system:serviceaccount:cert-manager:cert-manager   25m

NAME                                                     STATE   AGE
order.acme.cert-manager.io/cert-test-http01-3937192702   valid   25m

Once the order switches from Pending to valid, your certificate is now available in the secret.

  1. Get the certificate usinig the oc. You can also mount the secret or use the secret for the route
oc get secret cert-test-http01b-sec -oyaml

If you don’t have direct access to the internet, or the HTTP01 is not an option, you can use the cert-manager-webhook-ibmcis.

  1. Clone the repository git clone https://github.com/IBM/cert-manager-webhook-ibmcis.git
  2. Change to the directory cd cert-manager-webhook-ibmcis
  3. Create the webhook project oc new-project cert-manager-webhook-ibmcis
  4. Update the pod-security labels:
oc label namespace/cert-manager-webhook-ibmcis pod-security.kubernetes.io/enforce=privileged --overwrite=true
oc label namespace/cert-manager-webhook-ibmcis pod-security.kubernetes.io/audit=privileged --overwrite=true
oc label namespace/cert-manager-webhook-ibmcis pod-security.kubernetes.io/warn=privileged --overwrite=true
  1. Create the ibmcis deployment oc apply -f cert-manager-webhook-ibmcis.yaml
  2. Once the pods are available and ready in the cert-manager-webhook-ibmcis, then we can proceed.
  3. Create the api-token. It is recommended you use a service id with specific access to your CIS instance.
oc create secret generic ibmcis-credentials --from-literal=api-token="<YOUR API KEY>"
  1. Retreive your CRN using the ibmcloud cli, and save the ID
❯ ibmcloud cis instances
Retrieving service instances for service 'internet-svcs'
OK
Name                      ID                Location   State    Service Name
mycis       crn:v1:bluemix:public:internet-svcs:global:a/<ACCOUNT_NUM>:<INSTANCE_ID>::   global     active   internet-svcs
  1. Create the ClusterIssuer, updating YOUR_EMAIL and the CIS ID.
cat << EOF | oc apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prody
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory

    # Email address used for ACME registration
    email: <YOUR_EMAIL>

    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod

    solvers:
    - dns01:
        webhook:
          groupName: acme.borup.work
          solverName: ibmcis
          config:
            apiKeySecretRef:
              name: ibmcis-credentials
              key: api-token
            cisCRN: 
              - "crn:v1:bluemix:public:internet-svcs:global:a/<ACCOUNT_NUM>:<INSTANCE_ID>::"
EOF
  1. Create the DNS01 Certificate
cat << EOF | oc apply -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cert-test-dns01-b
  namespace: cert-manager-webhook-ibmcis
spec:
  commonName: "ts-a.cm-4a41.domain.name"
  dnsNames:
  - "ts-a.cm-4a41.domain.name"
  issuerRef:
    name: letsencrypt-prody
    kind: ClusterIssuer
  secretName: cert-test-dns01
EOF
  1. Wait until your certificate is READY=True
# oc get certificate
NAME                                      READY   SECRET                                    AGE
cert-test-dns01-b                         True    cert-test-dns01-b-sec                     75m

You’ve seen how to use both challenge types CIS, Lets Encrypt, and are ready to go.

Best wishes,

The Dev Team

Posted

in

by

Paul

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.