$ oc create configmap custom-ca \ --from-file=ca-bundle.crt=</path/to/example-ca.crt> \(1) -n openshift-config
By default OpenShift Container Platform uses the Ingress Operator to
create an internal CA and issue a wildcard certificate that is valid for
applications under the .apps
sub-domain. Both the web console and CLI
use this certificate as well.
The internal infrastructure CA certificates are self-signed.
While this process might be perceived as bad practice by some security or
PKI teams, any risk here is minimal. The only clients that implicitly
trust these certificates are other components within the cluster.
Replacing the default wildcard certificate with one that is issued by a
public CA already included in the CA bundle as provided by the container userspace
allows external clients to connect securely to applications running under the .apps
sub-domain.
You can replace the default ingress certificate for all
applications under the .apps
subdomain. After you replace
the certificate, all applications, including the web console
and CLI, will have encryption provided by specified certificate.
You must have a wildcard certificate and its private key, both in the PEM format, for use.
The certificate must have a subjectAltName
extension of
*.apps.<clustername>.<domain>
.
Create a configmap that includes the certificate authority used to signed the new certificate:
$ oc create configmap custom-ca \ --from-file=ca-bundle.crt=</path/to/example-ca.crt> \(1) -n openshift-config
1 | </path/to/example-ca.crt> is the path to the certificate authority file on your local file system. |
Update the cluster-wide proxy configuration with the newly created configmap:
$ oc patch proxy/cluster \ --type=merge \ --patch='{"spec":{"trustedCA":{"name":"custom-ca"}}}'
Create a secret that contains the wildcard certificate and key:
$ oc create secret tls <certificate> \(1) --cert=</path/to/cert.crt> \(2) --key=</path/to/cert.key> \(3) -n openshift-ingress
1 | <certificate> is the name of the secret that will contain
the certificate and private key. |
2 | </path/to/cert.crt> is the path to the certificate on your
local file system. |
3 | </path/to/cert.key> is the path to the private key associated
with this certificate. |
Update the Ingress Controller configuration with the newly created secret:
$ oc patch ingresscontroller.operator default \ --type=merge -p \ '{"spec":{"defaultCertificate": {"name": "<certificate>"}}}' \(1) -n openshift-ingress-operator
1 | Replace <certificate> with the name used for the secret in
the previous step. |