-
-
Save ericavonb/c656aa2e916a9691973bc88c6a85c321 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
### These initial steps are hacks to get around certificate issues ### | |
# extract the URL we need in the route's hostname | |
cluster_url="$(oc whoami --show-server | cut -f 2 -d ':' | cut -f 3 -d '/' | sed 's/-api././')" | |
# build the route's hostname | |
hostname="o.apps.${cluster_url}" | |
# check the length to make sure lets encrypt will let you use it | |
if [ "${#hostname}" -ge 63 ]; then | |
echo "cluster url ${cluster_url} is too long to use with lets encrypt" | |
exit 1 | |
fi | |
# set up local lets encrypt to get valid certs | |
oc apply -fhttps://raw.githubusercontent.com/tnozicka/openshift-acme/master/deploy/letsencrypt-live/single-namespace/{role,serviceaccount,imagestream,deployment}.yaml -n openshift-authentication | |
oc create rolebinding openshift-acme --role=openshift-acme --serviceaccount=openshift-authentication:openshift-acme -n openshift-authentication --dry-run -o yaml | oc auth reconcile -f - | |
# update the oauth server's route to use lets encrypt certs | |
# set a short custom hostname to stay under lets encrypt's 63 characters limit | |
# this assumes your cluster has a short enough name | |
oc apply -f - <<EOF | |
apiVersion: route.openshift.io/v1 | |
kind: Route | |
metadata: | |
annotations: | |
kubernetes.io/tls-acme: "true" | |
name: openshift-authentication | |
namespace: openshift-authentication | |
spec: | |
host: ${hostname} | |
port: | |
targetPort: 6443 | |
tls: | |
insecureEdgeTerminationPolicy: Redirect | |
termination: reencrypt | |
to: | |
kind: Service | |
name: openshift-authentication | |
weight: 100 | |
wildcardPolicy: None | |
EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment