I'm very interested in this as well, as I'd like to use it in classes I'm teaching on OpenShift.
Let's keep a very strict separation between types of traffic. There's the traffic between nodes (kubelet,) master API servers, and components such as logging and metrics. That's on the *.internal domain managed by the SkyDNS server on the masters. The ansible variables openshift_master_ca_certificates, and the playbooks redeploy-openshift-ca just updates the CA certs on the masters, while redeploy-certificates.yml updates everything, event the routers. So great care must be taken in using ansible to manage your routers. I think "Let's Encrypt" is less useful for all this private traffic, as OpenShift will accept self-signed certs, as long as it can sign them itself or with a provided CA or intermediary key. Then there's public traffic managed under different DNS services for the API, Routers, and other possible apps. THOSE are the places were I think we'd be most interested in Let's Encrypt. Further thoughts? On Fri, Aug 25, 2017 at 1:26 PM, Tim Dudgeon <tdudgeon...@gmail.com> wrote: > That's interesting, and a very different approach to what I was > anticipating using the Ansible playbooks. > > Any thoughts from anyone on what is the best approach for this? > Any other approaches/experiences on how to handle this important issue? > > Tim > > > > On 25/08/2017 17:09, Tomas Nozicka wrote: > >> Hi Tim, >> >> there is a controller to take care about generating and renewing Let's >> Encrypt certificates for you. >> >> https://github.com/tnozicka/openshift-acme >> >> That said it won't generate it for masters but you can expose master >> API using Route and certificate for that Route would be fully managed >> by openshift-acme. >> >> Further integrations might be possible in future but this is how you >> can get it done now. >> >> Regards, >> Tomas >> >> >> On Fri, 2017-08-25 at 16:27 +0100, Tim Dudgeon wrote: >> >>> Does anyone have any experience on how best to use Let' Encrypt >>> certificates for an OpenShift Origin cluster? >>> >>> In once sense this is simple. The Ansible installer can be specified >>> to >>> use this custom certificate and key to sign all the certificates it >>> generates, and doing so ensures you don't get the dreaded "This site >>> is >>> insecure" messages from your browser. And there is a playbook for >>> updating certificates (which is essential as Let' Encrypt >>> certificates >>> are short lived) so this must be automated. >>> >>> But how best to set this up and automate the certificate generation >>> and >>> renewal? >>> >>> Let's assume Ansible is being run from a separate machine that is >>> not >>> part of the cluster and needs to deploy those custom certificates to >>> the >>> master(s). The certificate needs to be present on the ansible >>> machine >>> but needs to apply to the master(s) (or load balancer?). So you >>> can't >>> just generate the certificate on the ansible machine (e.g. using >>> --standalone option for certbot) as it would not be for the right >>> machine. >>> >>> Similarly it doesn't seem right to request and update the >>> certificates >>> on the master (which master in the case of multiple masters?), and >>> those >>> certificates need to be present on the ansible machine. >>> >>> Seems like the answer might be to run a process on the ansible >>> machine >>> that requests the certificates using the webroot plugin and in doing >>> so >>> places the magical key that is used to verify ownership of the >>> domain >>> under the https://your.site.com/.well-known/acme-challenge location? >>> But >>> how to go about doing this? Ports 80 and 443 seem to be in use on >>> the >>> cluster, but not serving up any particular content. How to place the >>> content there? >>> >>> I'm hoping others have already needed to handle this problem and can >>> point to some best practice. >>> >>> Thanks >>> Tim >>> >>> >>> _______________________________________________ >>> users mailing list >>> users@lists.openshift.redhat.com >>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>> >> > _______________________________________________ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > -- Judd Maltin T: 917-882-1270 Of Life immense in passion, pulse, and power, Cheerful—for freest action form’d, under the laws divine, The Modern Man I sing. -Walt Whitman
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
