Server certificates are used to provide encrypted traffic (HTTPS) in OpenShift. When a certificate is near expiration, renewal and replacement is needed.

Prepare the Environment

To replace certificates automatically, Ansible is used to manage the hosts. Pyton OpenSSL binding is required to parse and verify certificates.

$ pipenv install pyopenssl

New server certificates should (obviously) be ready in public-private key pair files. Additionally, if the certificate is signed by customized Certificate Authority (CA), it should also be included and clarify in Ansible variables.

Re-deploy OpenShift Router Certificate

OpenShift includes a HAProxy as the hosted router. The router could be configured to use custom certificate to provide edge encryption to ingress traffic. The certificate domain should match the openshift_master_default_subdomain variable.

openshift_master_default_subdomain: apps.domain.example.com
# Custom certificates for OpenShift hosted router (haproxy)
openshift_hosted_router_certificate: {"certfile": "/path/to/certificate.crt", "keyfile": "/path/to/certificate.key", "cafile": "/path/to/certificate-authority.pem"}

To apply or update the certificate:

$ pipenv run ansible-playbook -i /path/to/inventory -e @/path/to/variables.yaml -e ansible_ssh_private_key_file=/path/to/private-key playbooks/openshift-hosted/redeploy-router-certificates.yml

Re-deploy OpenShift Web Console and API Controller Certificate

OpenShift Web Console shares the same certificate with the API controllers. This certificate is called a named certificate and should match the openshift_master_cluster_public_hostname variable.

openshift_master_cluster_public_hostname: domain.example.com
# Custom certificates for API controllers and web console
openshift_master_overwrite_named_certificates: true
openshift_master_named_certificates: [{"certfile": "/path/to/certificate.crt", "keyfile": "/path/to/certificate.key", "names": ["domain.example.com"], "cafile": "/path/to/certificate-authority.pem"}]

To apply or update the certificate:

$ pipenv run ansible-playbook -i /path/to/inventory -e @/path/to/variables.yaml -e ansible_ssh_private_key_file=/path/to/private-key playbooks/openshift-master/redeploy-named-certificates.yml

References

  1. Documentation / OKD 3.11 / Configuring Clusters / Configuring Custom Certificates