You can configure the OKD default router with a default wildcard certificate. A default wildcard certificate provides a convenient way for
applications that are deployed in OKD to use default encryption without needing custom certificates.
|
Default wildcard certificates are recommended for non-production environments only.
|
To configure a default wildcard certificate, provision a certificate that is
valid for *.<app_domain>
, where <app_domain>
is the value of
openshift_master_default_subdomain
in the
Ansible
inventory file, by default /etc/ansible/hosts
. Once provisioned, place the
certificate, key, and ca certificate files on your Ansible host, and add the
following line to your Ansible inventory file.
openshift_hosted_router_certificate={"certfile": "/path/to/apps.c1-ocp.myorg.com.crt", "keyfile": "/path/to/apps.c1-ocp.myorg.com.key", "cafile": "/path/to/apps.c1-ocp.myorg.com.ca.crt"}
openshift_hosted_router_certificate={"certfile": "/home/cloud-user/star-apps.148.251.233.173.nip.io.cert.pem", "keyfile": "/home/cloud-user/star-apps.148.251.233.173.nip.io.key.pem", "cafile": "/home/cloud-user/ca-chain.cert.pem"}
Where the parameter values are:
-
certfile is the path to the file that contains the OKD router wildcard certificate.
-
keyfile is the path to the file that contains the OKD router wildcard certificate key.
-
cafile is the path to the file that contains the root CA for this key and certificate. If an intermediate CA is in use, the file should contain both the intermediate and root CA.
If these certificate files are new to your OKD cluster, run the Ansible byo/config.yml playbook to add these files to the OKD configuration files.
The playbook adds the certificate files to the /etc/origin/master/ directory.
# ansible-playbook [-i /path/to/inventory] \
~/openshift-ansible/playbooks/byo/config.yml
If the certificates are not new,
for example, you want to change existing certificates or replace expired certificates, run the following playbook:
ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/redeploy-certificates.yml
|
For this playbook to run, the certificate names must not change. If the certificate names change, rerun the Ansible byo/config.yml playbook
as if the certificates were new.
|