cert-manager-routes-controller
An anti-anxiety pill against certificates renewal nightmares in OpenShift
No more sleep disorders… No more spending nights wondering whether a certificate has expired in your cluster…
The automation power of cert-manager is now unleashed for OpenShift routes 🚀
Requirements
An OpenShift Container Platform cluster with cert-manager installed.
We recommend that you use the
cert-manager Operator for RedHat Openshift
Installation (Helm)
- Make sure that the chart repository is installed and up-to-date
helm repo add its4u-cm https://its4u.github.io/cert-manager-routes-controller helm repo update - Install
cert-manager-routes-controller
- In the default
cert-managernamespace:
helm upgrade --install cert-manager-routes-controller its4u-cm/cert-manager-routes-controller
- In a custom
<CUSTOM_NS_NAME>namespace:
helm upgrade --install cert-manager-routes-controller its4u-cm/cert-manager-routes-controller \
--set cert_manager_namespace=<CUSTOM_NS_NAME>
How to use
- Create a
ClusterIssuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: <CLUSTER_ISSUER_NAME>
spec:
...
- Annotate the
Routethat needs to be managed bycert-manageras follows:
annotations:
cert-manager.io/cluster-issuer: <CLUSTER_ISSUER_NAME>
- Sit tight and watch your route’s TLS being automatically populated!
On the first certificate issuance, it might take a few minutes for the certificate to be ready. Hence, you might have to wait a little before you see your route being populated 😉
- That’s it!
cert-managerwill take care of the certificate renewal process.
Our controller will ensure that your route’s TLS is always populated with the correct up-to-date certificate.
Where are the Certificates stored?
All of the Certificates and their respective Secret are stored in the same CERT_MANAGER_NAMESPACE. This allows us to reuse a Certificate cluster-wide and avoid reordering a Certificate that already exists in the cluster.
For instance, we have a route
https://example.com/helloin thehelloNS and a routehttps://example.com/worldin theworldNS. Both of these routes use the same domain, hence only one certificate is required. Therefore, we won’t be ordering two certificates. We’ll merely use the same one for both routes even though they’re in a different namespace.