Skip to content

Home

Jump to bottom
Alexandre Perlmutter edited this page Jul 28, 2023 · 4 revisions

cert-manager OpenShift controller
The cert-manager-routes-controller wiki!

An anti-anxiety pill against certificates renewal nightmares in OpenShift

No more sleep disorders... No more spending nights wondering whether a certificate has expired in your cluster...
The automation power of cert-manager is now unleashed for OpenShift routes 🚀

Motivation

cert-manager is a Kubernetes Operator that manages certificates in a cluster. It is designed to work with Ingress resources and it does a wonderful job doing so. Nevertheless, it hasn't been designed to work with OpenShift Routes. Hence, since Ingress resources aren't usually used in the OpenShift world, there aren't any elegant solutions to implement cert-manager in an OpenShift cluster. In fact, there were only two solutions:

  1. Using the cert-utils Operator which would imply implementing the following workflow:
    1. Manually create a Certificate resource in the same namespace as the Route(s) you want to manage
    2. Remember the Secret name that you set in the Certificate configuration
    3. Annotate the Route(s) with the cert-utils-operator.redhat-cop.io/certs-from-secret: "<secret-name>" annotation

The issues with this solution are firstly that a human has to remember a Secret name to annotate each route with the same hostname which is error prone. And secondly that the Certificate will only be available in a single namespace even though you might find yourself with routes having the same hostname in different namespaces. Hence, routes that could use the same Certificate instead of having to create a ducplicate and therefore making a new Order. Moreover, if you're using Let's Encrypt, you might get rate limited really fast by ordering multiple certificates for the same hostname.

  1. Using openshift-routes which would only imply annotating a Route with the following annotations (easy right?):
annotations:
    cert-manager.io/issuer-kind: ClusterIssuer
    cert-manager.io/issuer-name: letsencrypt-prod

The issue with openshift-route is that it won't create a Certificate, it will only make a CertificateRequest and it won't save the TLS data inside a Secret, it will save the TLS directly inside the Route. Hence, it will reorder certificates for each Route that has the same hostname, even for the routes that are in the same namespace! Therefore, you can be pretty confident that you will get rate limited right away by CAs such as Let's Encrypt. Furthermore, it induces unexpected behaviours since it implements some logic in its code that should be handled only by cert-manager. An issue has been opened: openshift-routes doesn't work as expected and isn't suitable for a production environment #34.

That is why we created cert-manager-routes-controller

Our controller addresses the issues outlined above. The only thing a developer needs to do is to annotate a Route with the following annotation:

annotations:
    cert-manager.io/cluster-issuer: "<cluster-issuer-name>"

Our controller then creates a Certificate in the cert-manager namespace or use an existing Certificate if one already exists for the annotated Route's hostname. Then, it will automatically populate the routes' TLS with the latest up-to-date certificate. Letting cert-manager take care of the certificates management and merely populating annotated routes.

Clone this wiki locally