GUI Free Life View on GitHub

Changing the SSL Certificate for OpenShift Console

kubernetes openshift OSE3.1 ssl

Mar 24, 2016

OpenShift has an internal CA for generating certificates to authenticate intra-cluster communication, but your browser doesn’t trust this CA. Perhaps you want to fix that without mucking with the internal SSL communication? I did. Here is how.

This OpenShift doc explains how to do this, but it isn’t very clear, to me at least.

Overview

An outline of the steps:

Your installation may include the following hosts:

Name IP
ose-ha-master-01.example.com 192.0.2.21
ose-ha-master-02.example.com 192.0.2.22
ose-ha-master-03.example.com 192.0.2.23
ose-ha-lb-01.example.com 192.0.2.41
master.os.example.com CNAME ose-ha-lb-01.example.com
openshift.example.com CNAME ose-ha-lb-01.example.com

In this case openshift.example.com is an alias to the loadbalancer which directs traffic back to the 3 masters. The load balancer passes the traffic through for TLS termination on port 8443 of the master servers. Therefore, all three masters need to be updated.

Install Your Certificate

Copy your certificate and key to the masters in the /etc/origin/master directory and give them the following names.

Update /etc/origin/master/master-config.yaml to reference those certificates when accessing the public master URL.

Before

apiLevels:
- v1
apiVersion: v1
assetConfig:
  logoutURL: ""
  masterPublicURL: https://openshift.example.com:8443
  publicURL: https://openshift.example.com:8443/console/
  servingInfo:
    bindAddress: 0.0.0.0:8443
    bindNetwork: tcp4
    certFile: master.server.crt
    clientCA: ""
    keyFile: master.server.key
    maxRequestsInFlight: 0
    requestTimeoutSeconds: 0
  metricsPublicURL: "https://metrics.os.example.com/hawkular/metrics"
#... skip to the botom
servingInfo:
  bindAddress: 0.0.0.0:8443
  bindNetwork: tcp4
  certFile: master.server.crt
  clientCA: ca.crt
  keyFile: master.server.key
  maxRequestsInFlight: 500
  requestTimeoutSeconds: 3600

After

apiLevels:
- v1
apiVersion: v1
assetConfig:
  logoutURL: ""
  masterPublicURL: https://openshift.example.com:8443
  publicURL: https://openshift.example.com:8443/console/
  servingInfo:
    bindAddress: 0.0.0.0:8443
    bindNetwork: tcp4
    certFile: master.server.crt
    clientCA: ""
    keyFile: master.server.key
    maxRequestsInFlight: 0
    requestTimeoutSeconds: 0
    namedCertificates:
      - certFile: wildcard.example.com.crt
        keyFile: wildcard.example.com.key
        names:
          - "openshift.example.com"
  metricsPublicURL: "https://metrics.os.example.com/hawkular/metrics"
#... skip to the botom
servingInfo:
  bindAddress: 0.0.0.0:8443
  bindNetwork: tcp4
  certFile: master.server.crt
  clientCA: ca.crt
  keyFile: master.server.key
  maxRequestsInFlight: 500
  requestTimeoutSeconds: 3600
  namedCertificates:
    - certFile: wildcard.example.com.crt
      keyFile: wildcard.example.com.key
      names:
        - "openshift.example.com"

Restart the master and watch for TLS errors for a few seconds. You will notice problems pretty quickly if you affected the internal API URL.

systemctl restart atomic-openshift-master-api
journalctl -f

Using Ansible

There is support for this in the playbook, which is probably the best method, but I have not tested this yet.

Update your inventory for OpenShift Advanced Installation while referring to the byo example.

openshift_master_cluster_method=native
openshift_master_cluster_hostname=master.os.example.com
openshift_master_cluster_public_hostname=openshift.example.com
openshift_master_overwrite_named_certificates=true
#
# Provide local certificate paths which will be deployed to masters
openshift_master_named_certificates=[{"certfile": "wildcard.example.com.crt", "keyfile": "wildcard.example.com.key"}]
#
# Detected names may be overridden by specifying the "names" key
#openshift_master_named_certificates=[{"certfile": "wildcard.example.com.crt", "keyfile": "wildcard.example.com.key", "names": ["openshift.example.com"]}]

Related Reading