Created
October 29, 2019 01:13
-
-
Save brianredbeard/eb5d9ac3dff5ed812d82f2c421bb8010 to your computer and use it in GitHub Desktop.
Generate Let's Encrypt (ACME) Certs for OpenShift 4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
EMAIL="${1}" | |
if [ "${#}" -ne 1 ]; then | |
echo "USAGE: os4-acme-certs.sh email@example.com" | |
echo "QUITTING" | |
exit 1 | |
fi | |
OUT="$(env | grep ^AWS | wc -l)" | |
if [ ${?} -lt 1 ]; then | |
echo "Please set the correct AWS environment variables to proceed" | |
echo "QUITTING" | |
exit 1 | |
fi | |
OUT="$(which lego)" | |
if [ ${?} -ne 0 ]; then | |
echo "You must download lego from https://github.com/go-acme/lego/releases to proceed" | |
echo "QUITTING" | |
exit 1 | |
fi | |
OUT="$(oc whoami)" | |
if [ ${?} -ne 0 ]; then | |
echo "Cannot access Kubernetes API server. Do you have "oc" installed and access to" | |
echo "a working KUBECONFIG?" | |
echo "QUITTING" | |
exit 1 | |
fi | |
API_SERVER="$(oc whoami --show-server | cut -f 2 -d ':' | cut -f 3 -d '/' | sed 's/-api././')" | |
WILDCARD="$(oc get ingresscontroller default -n openshift-ingress-operator -o jsonpath='{.status.domain}')" | |
if [ -f .lego/certificates/${API_SERVER}.crt ] || [ -f .lego/certificates/${API_SERVER}.certs ]; then | |
echo "Found previously issued lego certs, attempting to apply them" | |
else | |
echo "No issued lego certs found. Requesting them now" | |
lego --dns route53 -a -m "${EMAIL}" -d ${API_SERVER} -d ${WILDCARD} -d *.${WILDCARD} run | |
fi | |
oc project openshift-ingress | |
#oc delete secret router-certs-default | |
oc create secret tls letsencrypt-certs --cert=.lego/certificates/${API_SERVER}.crt --key=.lego/certificates/${API_SERVER}.key | |
oc patch ingresscontroller default -n openshift-ingress-operator --type=merge --patch='{"spec": { "defaultCertificate": { "name": "letsencrypt-certs" }}}' | |
#oc delete pods -l ingresscontroller.operator.openshift.io/deployment-ingresscontroller=default |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Nice script. Refer to https://github.com/redhat-cop/openshift-lab-origin/blob/master/OpenShift4/Lets_Encrypt_Certificates_for_OCP4.adoc for instructions about also replacing the API certificate so your cluster will be even better.