Skip to content
An OpenShift controller using the Operator SDK for managing TLS certficate lifecycle
Branch: master
Clone or download
etsauer and sabre1041 Converting service secret to type kubernetes.io/tls (#30)
* Converting service secret to type kubernetes.io/tls

* Add tests for service functionality, assert that secret type is correct

* Cleanup
Latest commit 8f8cddb Apr 23, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.s2i/bin Making the need cert annotation value configurable (#22) Mar 7, 2019
build
cmd/manager Migrating to sdk version 0.5.0 (#26) Mar 28, 2019
config Initial commit Jul 19, 2018
deploy Migrating to sdk version 0.5.0 (#26) Mar 28, 2019
pkg Converting service secret to type kubernetes.io/tls (#30) Apr 23, 2019
test Converting service secret to type kubernetes.io/tls (#30) Apr 23, 2019
tmp Add a build for OpenShift (#13) Feb 21, 2019
version Initial commit Jul 19, 2018
.gitignore Add a build for OpenShift (#13) Feb 21, 2019
Gopkg.toml
README.adoc fix typo Apr 12, 2019
VENAFI-README.adoc remove bullet list Mar 1, 2019
main.go Migrating to sdk version 0.5.0 (#26) Mar 28, 2019

README.adoc

An Operator for Automated Certificate Lifecycle in OpenShift

Prerequisites

Installation

git clone [this repo]
dep ensure

Local Run for Development

oc login ...
oc new-project cert-operator
export OPERATOR_NAME=cert-operator
operator-sdk up local

Running Test Cases

oc login ...
oc new-project cert-operator-test
export OPERATOR_NAME=cert-operator
operator-sdk test local ./test/e2e/ --namespace=cert-operator-test --up-local

Deployment to OpenShift

oc process -f build/build.yml | oc apply -f-
oc apply -f deploy/service_account.yaml
oc apply -f deploy/role.yaml
oc apply -f deploy/role_binding.yaml
oc apply -f deploy/deployment.yaml

Configuration

The operator is configured via a combination of environment variables and a configuration file. The majority of the config can be placed in a YAML formatted config file. The configuration file is loaded by searching in the following locations, with those at the top taking priority:

  • value of CERT_OP_CONFIG environment variable

  • /etc/cert-operator/config.yml

General Config

The cert operator uses annotations on the various resources it manages to decide what actions are required. The annotations that are used are configurable via the config file. The default values are as follows:

general:
  annotations:
    status: openshift.io/cert-ctl-status
    status-reason: openshift.io/cert-ctl-status-reason
    expiry: openshift.io/cert-ctl-expires
    format: openshift.io/cert-ctl-format

Certificate Providers

The cert operator provides a pluggable architecture for supporting multiple certificate providers. The following is the set of current and planned providers.

Supported Providers
  • ✓ NoneProvider(none) - A mock provider for testing which returns empty values

  • ✓ SelfSignedProvider(self-signed) - Delivers self-signed certificates

  • ❏ LetsEncryptProvider(lets-encrpyt) - A free and open public CA

  • ❏ FreeIPAProvider(ipa) - An open source identity management system

  • [X] VenafiProvider(venafi) - An Enterprise PKI product

Configuring which provider is used is a matter of adding the following to your config.yml:

provider:
  kind: <name>
  ssl: <true/false>

Notifications

This operator currently supports sending notifications via ChatOps. The following is the set of current and planned providers.

Supported Notifiers
  • ✓ Slack

  • ❏ RocketChat

To configure sending notifications, set the following environment variables:

NOTIFIER_TYPE="slack"
<NOTIFIER>_WEBHOOK_URL="https://example.webhook.com/bla/blah"

Testing Functionality

This operator will create certificates for routes and services. To test this functionality, first create a new application.

oc new-app --template dotnet-example

Create a Certificate for a Route

Annotate the route to tell the operator it needs a cert.

oc annotate route dotnet-example openshift.io/cert-ctl-status=new --overwrite

In the logs for your operator, you’ll see something like:

{"level":"info","ts":1553713448.1514533,"logger":"controller_route","msg":"Reconciling Route","Request.Namespace":"cert-operator","Request.Name":"dotnet-example"}
{"level":"info","ts":1553713448.2551682,"logger":"controller_route","msg":"Updated route with new certificate","Request.Namespace":"cert-operator","Request.Name":"dotnet-example"}

Then, if you take a look at your dotnet-example route, you’ll see that it has been update with a TLS Edge policy.

$ oc get route dotnet-example -o yaml
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  annotations:
    openshift.io/managed.cert: "secured"
...
  name: dotnet-example
spec:
...
  tls:
    certificate: |
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
    key: |
      -----BEGIN RSA PRIVATE KEY-----
      ...
      -----END RSA PRIVATE KEY-----
    termination: edge
    ...

Create a Certificate for a Service (SSL-to-Pod)

Annotate the service to tell the operator it needs a cert.

oc annotate service dotnet-example openshift.io/cert-ctl-status=new --overwrite

In the logs for your operator, you’ll see something like:

{"level":"info","ts":1553715427.6889565,"logger":"controller_service","msg":"Reconciling Service","Request.Namespace":"cert-operator","Request.Name":"dotnet-example"}
{"level":"info","ts":1553715427.8858836,"logger":"controller_service","msg":"Updated service with new certificate","Request.Namespace":"cert-operator","Request.Name":"dotnet-example"}

Look to see that a new secret has been created in your project.

$ oc get secret | grep dotnet-example
dotnet-example-certificate             Opaque                                2         23m

You’ll also notice that the annotation on the service has changed.

$ oc get service dotnet-example -o jsonpath='{.metadata.annotations.openshift\.io/cert-ctl-status}'
secured
You can’t perform that action at this time.