Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Generate Let's Encrypt (ACME) Certs for OpenShift 4
#!/bin/sh
EMAIL="${1}"
if [ "${#}" -ne 1 ]; then
echo "USAGE: os4-acme-certs.sh email@example.com"
echo "QUITTING"
exit 1
fi
OUT="$(env | grep ^AWS | wc -l)"
if [ ${?} -lt 1 ]; then
echo "Please set the correct AWS environment variables to proceed"
echo "QUITTING"
exit 1
fi
OUT="$(which lego)"
if [ ${?} -ne 0 ]; then
echo "You must download lego from https://github.com/go-acme/lego/releases to proceed"
echo "QUITTING"
exit 1
fi
OUT="$(oc whoami)"
if [ ${?} -ne 0 ]; then
echo "Cannot access Kubernetes API server. Do you have "oc" installed and access to"
echo "a working KUBECONFIG?"
echo "QUITTING"
exit 1
fi
API_SERVER="$(oc whoami --show-server | cut -f 2 -d ':' | cut -f 3 -d '/' | sed 's/-api././')"
WILDCARD="$(oc get ingresscontroller default -n openshift-ingress-operator -o jsonpath='{.status.domain}')"
if [ -f .lego/certificates/${API_SERVER}.crt ] || [ -f .lego/certificates/${API_SERVER}.certs ]; then
echo "Found previously issued lego certs, attempting to apply them"
else
echo "No issued lego certs found. Requesting them now"
lego --dns route53 -a -m "${EMAIL}" -d ${API_SERVER} -d ${WILDCARD} -d *.${WILDCARD} run
fi
oc project openshift-ingress
#oc delete secret router-certs-default
oc create secret tls letsencrypt-certs --cert=.lego/certificates/${API_SERVER}.crt --key=.lego/certificates/${API_SERVER}.key
oc patch ingresscontroller default -n openshift-ingress-operator --type=merge --patch='{"spec": { "defaultCertificate": { "name": "letsencrypt-certs" }}}'
#oc delete pods -l ingresscontroller.operator.openshift.io/deployment-ingresscontroller=default
@soukron

This comment has been minimized.

Copy link

@soukron soukron commented Apr 9, 2020

Nice script. Refer to https://github.com/redhat-cop/openshift-lab-origin/blob/master/OpenShift4/Lets_Encrypt_Certificates_for_OCP4.adoc for instructions about also replacing the API certificate so your cluster will be even better.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment