Skip to content

Instantly share code, notes, and snippets.

@ericavonb
Forked from enj/fix_auth.sh
Last active March 25, 2019 19:41
Show Gist options
  • Save ericavonb/c656aa2e916a9691973bc88c6a85c321 to your computer and use it in GitHub Desktop.
Save ericavonb/c656aa2e916a9691973bc88c6a85c321 to your computer and use it in GitHub Desktop.
#!/usr/bin/env bash
set -o errexit
set -o nounset
set -o pipefail
### These initial steps are hacks to get around certificate issues ###
# extract the URL we need in the route's hostname
cluster_url="$(oc whoami --show-server | cut -f 2 -d ':' | cut -f 3 -d '/' | sed 's/-api././')"
# build the route's hostname
hostname="o.apps.${cluster_url}"
# check the length to make sure lets encrypt will let you use it
if [ "${#hostname}" -ge 63 ]; then
echo "cluster url ${cluster_url} is too long to use with lets encrypt"
exit 1
fi
# set up local lets encrypt to get valid certs
oc apply -fhttps://raw.githubusercontent.com/tnozicka/openshift-acme/master/deploy/letsencrypt-live/single-namespace/{role,serviceaccount,imagestream,deployment}.yaml -n openshift-authentication
oc create rolebinding openshift-acme --role=openshift-acme --serviceaccount=openshift-authentication:openshift-acme -n openshift-authentication --dry-run -o yaml | oc auth reconcile -f -
# update the oauth server's route to use lets encrypt certs
# set a short custom hostname to stay under lets encrypt's 63 characters limit
# this assumes your cluster has a short enough name
oc apply -f - <<EOF
apiVersion: route.openshift.io/v1
kind: Route
metadata:
annotations:
kubernetes.io/tls-acme: "true"
name: openshift-authentication
namespace: openshift-authentication
spec:
host: ${hostname}
port:
targetPort: 6443
tls:
insecureEdgeTerminationPolicy: Redirect
termination: reencrypt
to:
kind: Service
name: openshift-authentication
weight: 100
wildcardPolicy: None
EOF
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment