letsencrypt-auth.sh

#!/usr/bin/env bash

set -o errexit
set -o nounset
set -o pipefail

### These initial steps are hacks to get around certificate issues ###

# extract the URL we need in the route's hostname
cluster_url="$(oc whoami --show-server | cut -f 2 -d ':' | cut -f 3 -d '/' | sed 's/-api././')"

# build the route's hostname
hostname="o.apps.${cluster_url}"

# check the length to make sure lets encrypt will let you use it
if [ "${#hostname}" -ge 63 ]; then
  echo "cluster url ${cluster_url} is too long to use with lets encrypt"
  exit 1
fi

# set up local lets encrypt to get valid certs
oc apply -fhttps://raw.githubusercontent.com/tnozicka/openshift-acme/master/deploy/letsencrypt-live/single-namespace/{role,serviceaccount,imagestream,deployment}.yaml -n openshift-authentication
oc create rolebinding openshift-acme --role=openshift-acme --serviceaccount=openshift-authentication:openshift-acme -n openshift-authentication --dry-run -o yaml | oc auth reconcile -f -

# update the oauth server's route to use lets encrypt certs
# set a short custom hostname to stay under lets encrypt's 63 characters limit
# this assumes your cluster has a short enough name
oc apply -f - <<EOF
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  annotations:
    kubernetes.io/tls-acme: "true"
  name: openshift-authentication
  namespace: openshift-authentication
spec:
  host: ${hostname}
  port:
    targetPort: 6443
  tls:
    insecureEdgeTerminationPolicy: Redirect
    termination: reencrypt
  to:
    kind: Service
    name: openshift-authentication
    weight: 100
  wildcardPolicy: None
EOF