dmi3mis/ClusterIssuer.yaml

## api-cert.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: api-cert
  namespace: cert-manager
spec:
  secretName: api-cert
  duration: 2160h
  renewBefore: 360h
  issuerRef:
    kind: ClusterIssuer
    name: clusterissuer
  secretTemplate:
    annotations:
      replicator.v1.mittwald.de/replicate-to: "openshift-config"
  dnsNames:
  - "api.ocp4.${DNSDOMAIN}"

## apps-cert.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: apps-cert
  namespace: cert-manager
spec:
  secretName: apps-cert
  duration: 2160h
  renewBefore: 360h
  issuerRef:
    kind: ClusterIssuer
    name: clusterissuer
  secretTemplate:
    annotations:
      replicator.v1.mittwald.de/replicate-to: "openshift-ingress"
  dnsNames:
  - "*.apps.ocp4.${DNSDOMAIN}"

## ClusterIssuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: clusterissuer
spec:
  acme:
    email: emailbox@emaildomain.tld
    # server: https://acme-v02.api.letsencrypt.org/directory
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: cluster-issuer-account-key
    solvers:
    - dns01:
        rfc2136:
          nameserver: 10.78.11.130:53
          tsigKeyName: ${DNSDOMAIN}-key
          tsigAlgorithm: HMACSHA256
          tsigSecretSecretRef:
            name: tsig-secret
            key: tsig-secret-key

## helloingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    # add an annotation indicating the issuer to use.
    cert-manager.io/issuer: issuer
  name: hello
spec:
  rules:
  - host: site.company.com
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: hello
            port:
              number: 8080
  tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
  - hosts:
    - site.company.com
    - www.site.company.com
    secretName: hello-ingress-cert

## openshift and cert-manager dns01 rfc2136 example
#Commands to start DNS master server and apply and configure cert-manager with kubernetes-replicator
# Can be used for for rfc2136 DNS01 solver https://cert-manager.io/docs/configuration/acme/dns01/rfc2136/
# Lets run bind9 dns server in a container from https://github.com/sameersbn/docker-bind
# http://www.damagehead.com/blog/2015/04/28/deploying-a-dns-server-using-docker/

# YourExternal IP is
EXTERNALIP=123.123.123.123
# Public dns domain zone is
DNS=example.com

# example works on Centos Stream
mkdir ${PWD}/data
chmod +w ${PWD}/data
chcon -t container_file_t -R -v ${PWD}/data

# YourPublic IP is
PUBLICIP=123.123.123.123
# Public dns domain zone is
DNSDOMAIN=example.com

podman run --name dns -d \
           --publish ${EXTERNALIP}:53:53/tcp \
           --publish ${EXTERNALIP}:53:53/udp \
           --publish ${EXTERNALIP}:10000:10000/tcp \
           --env ROOT_PASSWORD=mysecretpassword \
           --volume ${PWD}/data:/data:Z \
           sameersbn/bind

# https://www.zytrax.com/books/dns/ch7/xfer.html#allow-update
cat << EOT > ${PWD}/data/bind/etc/named.conf.local
zone "${DNSDOMAIN}" {
	type master;
	file "/var/lib/bind/${DNSDOMAIN}.hosts";
	check-names warn;
	allow-query { any; };
        allow-update { key ${DNSDOMAIN}; };
        };
EOT
rndc-confgen -k ${DNSDOMAIN} -A HMAC-SHA256 -b 256 |sed -n '2,5'p |tee ${PWD}/data/bind/etc/${DNSDOMAIN}.key
key "${DNSDOMAIN}" {
	algorithm hmac-sha256;
	secret "49s7v4ruY9YeQe01R1+oGL6p89goQKN/K28r740xTmI=";
};

cat << EOT >> ${PWD}/data/bind/etc/named.conf
include "/etc/bind/${DNSDOMAIN}.key";
include "/etc/bind/named.conf.local";
EOT

mkdir -p ${PWD}/data/bind/lib
cat << EOT >> ${PWD}/data/bind/lib/${DNSDOMAIN}.hosts
${DNSDOMAIN}.	             3600      IN  SOA   ns1.${DNSDOMAIN}. root.${DNSDOMAIN}.  23 3600 300 2419200 300
${DNSDOMAIN}.              3600      IN	  NS   ns1.${DNSDOMAIN}.
${DNSDOMAIN}.              3600      IN   NS   ns2.${DNSDOMAIN}.
ns1.${DNSDOMAIN}.          3600      IN    A   ${PUBLICIP}
ns2.${DNSDOMAIN}.          3600      IN    A   ${PUBLICIP}
api.ocp4.${DNSDOMAIN}.	   3600      IN    A   ${PUBLICIP}
*.apps.ocp4.${DNSDOMAIN}.  3600      IN    A   ${PUBLICIP}
${DNSDOMAIN}.	           3600      IN    A   ${PUBLICIP}
EOT

chown 101:101 -R ${PWD}/data
chmod 775 -R ${PWD}/data
podman restart dns


firewall-cmd --add-service=dns --zone=public --permanent
firewall-cmd --reload

# test dns rfc2136  dynamic update
nsupdate -k ${PWD}/data/bind/etc/${DNSDOMAIN}.key
server ${EXTERNALIP}
update add testhost.${DNSDOMAIN} 60 A 123.123.123.123
send
# ... test it with dig
# ... dig -t A +short testhost.${DNSDOMAIN} "
# ... 123.123.123.123
update delete testhost.${DNSDOMAIN} A
send

# Now our authoritative dns server works with dynamic update

# Try to check and configure dns server with webmin web interface
firefox https://${EXTERNALIP}:10000
login: root
pass: mysecretpassword


oc login -u kubeadmin -p kubeadminpass https://api.ocp4.${DNSDOMAIN}:6443

# First of all lets install cert-manager application
oc create namespace cert-manager
oc project cert-manager
oc apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.yaml -n cert-manager


# Lets install https://github.com/mittwald/kubernetes-replicator
# It will helps us to replicate certificate secrets from one namespace to another
# We will create certificate secrets in cert-manager namespace,
# then kubernetes-replicator will copy api-cert and apps-cert secrets
# to openshift-config and openshift-ingress namespaces

# Create roles and service accounts
kubectl apply -f https://raw.githubusercontent.com/mittwald/kubernetes-replicator/master/deploy/rbac.yaml
# Create actual deployment
kubectl apply -f https://raw.githubusercontent.com/mittwald/kubernetes-replicator/master/deploy/deployment.yaml


SECRET=$(cat ~/${DNSDOMAIN}.key |sed -n '3'p|cut -d" " -f 2)
SECRET_cutted=${SECRET:1:-2}
oc create secret generic tsig-secret --from-literal=tsig-secret-key=${SECRET_cutted} -n cert-manager

oc apply -f ClusterIssuer.yaml
oc apply -f apps-cert.yaml
oc apply -f api-cert.yaml

watch oc get clusterissuer,certificate,certificaterequests.cert-manager.io,order,challenge,pod,ingress,route

oc patch ingresscontroller.operator default --type=merge -p  '{"spec":{"defaultCertificate": {"name": "apps-cert"}}}' -n openshift-ingress-operator
oc patch apiserver cluster --type=merge -p "{\"spec\":{\"servingCerts\": {\"namedCertificates\": [{\"names": \[\"api.ocp4.${DNSDOMAIN}\"\],\"servingCertificate\": {\"name\": \"api-cert\"}}]}}}"
oc patch apiserver cluster --type=merge -p "{\"spec\":{\"servingCerts\": {\"namedCertificates\": [{\"names": \[\"api.ocp4.nexml.online\"\], \"servingCertificate\": {\"name\": \"api-cert\"}}]}}}"

## testsite-cert-example.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: testsite-cert
spec:
  secretName: testsite-cert
  duration: 2160h
  renewBefore: 360h
  issuerRef:
    kind: ClusterIssuer
    name: clusterissuer
  secretTemplate:
    annotations:
      replicator.v1.mittwald.de/replicate-to: "namespace1,namespace2"
  dnsNames:
  - testsite.apps.ocp4.${DNSDOMAIN}
  - www.testsite.apps.ocp4.${DNSDOMAIN}
	apiVersion: cert-manager.io/v1
	kind: Certificate
	metadata:
	name: api-cert
	namespace: cert-manager
	spec:
	secretName: api-cert
	duration: 2160h
	renewBefore: 360h
	issuerRef:
	kind: ClusterIssuer
	name: clusterissuer
	secretTemplate:
	annotations:
	replicator.v1.mittwald.de/replicate-to: "openshift-config"
	dnsNames:
	- "api.ocp4.${DNSDOMAIN}"
	apiVersion: networking.k8s.io/v1
	kind: Ingress
	metadata:
	annotations:
	# add an annotation indicating the issuer to use.
	cert-manager.io/issuer: issuer
	name: hello
	spec:
	rules:
	- host: site.company.com
	http:
	paths:
	- pathType: Prefix
	path: /
	backend:
	service:
	name: hello
	port:
	number: 8080
	tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
	- hosts:
	- site.company.com
	- www.site.company.com
	secretName: hello-ingress-cert
	#Commands to start DNS master server and apply and configure cert-manager with kubernetes-replicator
	# Can be used for for rfc2136 DNS01 solver https://cert-manager.io/docs/configuration/acme/dns01/rfc2136/
	# Lets run bind9 dns server in a container from https://github.com/sameersbn/docker-bind
	# http://www.damagehead.com/blog/2015/04/28/deploying-a-dns-server-using-docker/

	# YourExternal IP is
	EXTERNALIP=123.123.123.123
	# Public dns domain zone is
	DNS=example.com

	# example works on Centos Stream
	mkdir ${PWD}/data
	chmod +w ${PWD}/data
	chcon -t container_file_t -R -v ${PWD}/data

	# YourPublic IP is
	PUBLICIP=123.123.123.123
	# Public dns domain zone is
	DNSDOMAIN=example.com

	podman run --name dns -d \
	--publish ${EXTERNALIP}:53:53/tcp \
	--publish ${EXTERNALIP}:53:53/udp \
	--publish ${EXTERNALIP}:10000:10000/tcp \
	--env ROOT_PASSWORD=mysecretpassword \
	--volume ${PWD}/data:/data:Z \
	sameersbn/bind

	# https://www.zytrax.com/books/dns/ch7/xfer.html#allow-update
	cat << EOT > ${PWD}/data/bind/etc/named.conf.local
	zone "${DNSDOMAIN}" {
	type master;
	file "/var/lib/bind/${DNSDOMAIN}.hosts";
	check-names warn;
	allow-query { any; };
	allow-update { key ${DNSDOMAIN}; };
	};
	EOT
	rndc-confgen -k ${DNSDOMAIN} -A HMAC-SHA256 -b 256 \|sed -n '2,5'p \|tee ${PWD}/data/bind/etc/${DNSDOMAIN}.key
	key "${DNSDOMAIN}" {
	algorithm hmac-sha256;
	secret "49s7v4ruY9YeQe01R1+oGL6p89goQKN/K28r740xTmI=";
	};

	cat << EOT >> ${PWD}/data/bind/etc/named.conf
	include "/etc/bind/${DNSDOMAIN}.key";
	include "/etc/bind/named.conf.local";
	EOT

	mkdir -p ${PWD}/data/bind/lib
	cat << EOT >> ${PWD}/data/bind/lib/${DNSDOMAIN}.hosts
	${DNSDOMAIN}. 3600 IN SOA ns1.${DNSDOMAIN}. root.${DNSDOMAIN}. 23 3600 300 2419200 300
	${DNSDOMAIN}. 3600 IN NS ns1.${DNSDOMAIN}.
	${DNSDOMAIN}. 3600 IN NS ns2.${DNSDOMAIN}.
	ns1.${DNSDOMAIN}. 3600 IN A ${PUBLICIP}
	ns2.${DNSDOMAIN}. 3600 IN A ${PUBLICIP}
	api.ocp4.${DNSDOMAIN}. 3600 IN A ${PUBLICIP}
	*.apps.ocp4.${DNSDOMAIN}. 3600 IN A ${PUBLICIP}
	${DNSDOMAIN}. 3600 IN A ${PUBLICIP}
	EOT

	chown 101:101 -R ${PWD}/data
	chmod 775 -R ${PWD}/data
	podman restart dns


	firewall-cmd --add-service=dns --zone=public --permanent
	firewall-cmd --reload

	# test dns rfc2136 dynamic update
	nsupdate -k ${PWD}/data/bind/etc/${DNSDOMAIN}.key
	server ${EXTERNALIP}
	update add testhost.${DNSDOMAIN} 60 A 123.123.123.123
	send
	# ... test it with dig
	# ... dig -t A +short testhost.${DNSDOMAIN} "
	# ... 123.123.123.123
	update delete testhost.${DNSDOMAIN} A
	send

	# Now our authoritative dns server works with dynamic update

	# Try to check and configure dns server with webmin web interface
	firefox https://${EXTERNALIP}:10000
	login: root
	pass: mysecretpassword


	oc login -u kubeadmin -p kubeadminpass https://api.ocp4.${DNSDOMAIN}:6443

	# First of all lets install cert-manager application
	oc create namespace cert-manager
	oc project cert-manager
	oc apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.yaml -n cert-manager


	# Lets install https://github.com/mittwald/kubernetes-replicator
	# It will helps us to replicate certificate secrets from one namespace to another
	# We will create certificate secrets in cert-manager namespace,
	# then kubernetes-replicator will copy api-cert and apps-cert secrets
	# to openshift-config and openshift-ingress namespaces

	# Create roles and service accounts
	kubectl apply -f https://raw.githubusercontent.com/mittwald/kubernetes-replicator/master/deploy/rbac.yaml
	# Create actual deployment
	kubectl apply -f https://raw.githubusercontent.com/mittwald/kubernetes-replicator/master/deploy/deployment.yaml


	SECRET=$(cat ~/${DNSDOMAIN}.key \|sed -n '3'p\|cut -d" " -f 2)
	SECRET_cutted=${SECRET:1:-2}
	oc create secret generic tsig-secret --from-literal=tsig-secret-key=${SECRET_cutted} -n cert-manager

	oc apply -f ClusterIssuer.yaml
	oc apply -f apps-cert.yaml
	oc apply -f api-cert.yaml

	watch oc get clusterissuer,certificate,certificaterequests.cert-manager.io,order,challenge,pod,ingress,route

	oc patch ingresscontroller.operator default --type=merge -p '{"spec":{"defaultCertificate": {"name": "apps-cert"}}}' -n openshift-ingress-operator
	oc patch apiserver cluster --type=merge -p "{\"spec\":{\"servingCerts\": {\"namedCertificates\": [{\"names": \[\"api.ocp4.${DNSDOMAIN}\"\],\"servingCertificate\": {\"name\": \"api-cert\"}}]}}}"
	oc patch apiserver cluster --type=merge -p "{\"spec\":{\"servingCerts\": {\"namedCertificates\": [{\"names": \[\"api.ocp4.nexml.online\"\], \"servingCertificate\": {\"name\": \"api-cert\"}}]}}}"