Self-signed default Ingress certificate

Steps to implement a self-signed default Ingress certificate for the OpenShift Router. This isn’t meant to be used in production!

These steps follow the Replacing the default ingress certificate docs to set up a regular commercial certificate.

Generate a self-signed ingress certificate

A private key and certificate is generated using the openssl command line tool. OpenShift requires the configuration of the Subject Alternative Name (SAN). The distinguished name (DN) Common Name (CN) must be equal to the SAN wildcard domain, in example *.apps.<cluster>.<domain>.<tld>.

  1. Create the private key ingress.key and the certificate ingress.crt in a single step:

    cat <<-EOF | openssl req -x509 -out ingress.crt -keyout ingress.key -config -
    [ req ]
    prompt = no
    encrypt_key = no
    default_bits = 4096
    default_md = sha256
    distinguished_name = dn
    x509_extensions = v3_req
    
    [ dn ]
    C = AU
    ST = Some-State
    O = Internet Widgits Pty Ltd
    CN = *.apps.<cluster>.<domain>.<tld>
    
    [ v3_req ]
    keyUsage = digitalSignature, keyEncipherment
    extendedKeyUsage = serverAuth
    basicConstraints = critical,CA:false
    subjectKeyIdentifier = hash
    subjectAltName = @alt_names
    
    [ alt_names ]
    DNS.1 = *.apps.<cluster>.<domain>.<tld>
    EOF
  2. Verify the wildcard certificate has been created in a valid form with a SAN:

    openssl x509 -noout -text -in ingress.crt | grep -A1 'X509v3 Subject Alternative Name'

Configure the generated self signed Ingress certificate in OpenShift

Because the self-signed certificate has been created without a CA, the certificate itself is stored in the custom-ca ConfigMap. This ensures the created certificate is accepted as valid.

  1. Create a ConfigMap custom-ca with the Ingress certificate:

    oc create configmap custom-ca \
       --from-file=ca-bundle.crt=ingress.crt \
       -n openshift-config
  2. Update the cluster-wide proxy configuration with the newly created ConfigMap:

    oc patch proxy/cluster \
       --type=merge \
       --patch='{"spec":{"trustedCA":{"name":"custom-ca"}}}'
  3. Create the secret with the key and the self-signed certificate:

    oc create secret tls self-signed-wildcard \
       --cert=ingress.crt \
       --key=ingress.key \
       -n openshift-ingress
  4. Configure the self-signed-wildcard secret via the Project Syn openshift4-ingress component:

    parameters:
      openshift4_ingress:
        ingressControllers:
          default:
            defaultCertificate:
              name: self-signed-wildcard