infrastructure/ansible
1
0
Fork 0
Code Pull requests 7 Activity Actions

openshift / README: update cert-manager docs.

Browse source 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit is contained in:
Kevin Fenzi 2019-09-13 20:00:36 +00:00 committed by Pierre-Yves Chibon
parent a4de837e70
commit 58f195b511
1 changed files with 4 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

7
files/communishift/objects/README.md
View file

@ -6,8 +6,9 @@ The files in this directory are the configuration files for communishift to be a
For OIDC auth, get the client secret for "communishift" from ansible-private/files/ipsilon/openidc.production.static, and run:
> oc create secret generic fedoraidp-clientsecret --from-literal=clientSecret=<client-secret> -n openshift-config
For certificates, first install [cert-manager](https://docs.cert-manager.io/en/latest/), and then create the Issuer object.
To do this, first create a new access key ID and secret key in AWS for the communishift_acme_dns01 user, and update issuer and create a secret:
For certificates, first install [cert-manager](https://docs.cert-manager.io/en/latest/), and then create the Issuer object:
To do this, first create a new access key ID and secret key in AWS for the communishift_acme_dns01 user, and update issuer.yml with the access key ID and then create a secret with the private access key
> oc create -f issuer.yml
> oc create secret generic route53-access-key-secret --from-literal=access-key=THEACCESSKEY
This gives it the ability to create a TXT record for acmechallenges.fedorainfracloud.org.
To allow certificates for other hostnames, those hostnames need a CNAME of "_acme-challenge.<hostname>" pointing to "acmechallenges.fedorainfracloud.org".
@ -16,5 +17,5 @@ After that, create the two certificate requests for the API server and ingress d
> oc -n openshift-ingress create -f cert_apps.yml
This will start the request of the certificates.
Then run the following commands to update the ingress router (will take affect after its restart) and API server with their new certs:
> oc patch apiserver cluster --type=merge -p '{"spec": {"servingCerts": {"defaultServingCertificate": {"name": "api-certificate"}}}}'
> oc patch apiserver cluster --type=merge -p '{"spec": {"servingCerts": {"namedCertificates": {"names": "api.os.fedorainfracloud.org"}, "servingCertificate": {"name": "api-certificate"}}}}'
> oc patch ingresscontroller.operator default --type=merge -p '{"spec":{"defaultCertificate": {"name": "apps-certificate"}}}' -n openshift-ingress-operator