Red Hat SummitChapter 3. Custom issuers for cert-manager
An issuer is a resource that acts as a certificate authority for a specific namespace, and is managed by the cert-manager Operator. TLS-e (TLS everywhere) is enabled in Red Hat OpenStack Services on OpenShift (RHOSO) environments, and it uses the following issuers by default:
- rootca-internal
- rootca-libvirt
- rootca-ovn
- rootca-public
3.1. Creating a custom issuer
You can create custom ingress as well as custom internal issuers. To create and manage your own certificates for internal endpoints, you must create a custom internal issuer.
Procedure
Create a custom issuer in a file named
rootca-custom.yaml:apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: <issuer_name> spec: ca: secretName: <secret_name>where:
<issuer_name>-
Specifies the name of your custom issuer, for example,
rootca-ingress-custom. <secret_name>- Specifies the name of the Secret CR used by the certificate for your custom issuer. If you do not include a secret, one is created automatically.
Create a certificate in a file named
ca-issuer-certificate.yaml:apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: <issuer_name> spec: commonName: <issuer_name> isCA: true duration: <hours> privateKey: algorithm: RSA size: 3072 issuerRef: name: selfsigned-issuer kind: Issuer secretName: <secret-name>where:
<issuer_name>- Specifies the name of your custom issuer. This matches the issuer created in the first step.
<hours>-
Specifies the duration in hours, for example, a value of
87600his equivalent to 3650 days, or about 10 years. <secret_name>- Specifies the name of the Secret CR used by the certificate for your custom issuer. If you do not include a secret, one is created automatically.
Create the issuer and certificate:
$ oc create -f rootca-custom.yaml $ oc create -f ca-issuer-certificate.yamlAdd the custom issuer to the TLS service definition in the control plane CR file.
If your custom issuer is an ingress issuer, the customer issuer is defined under the
ingressattribute as shown below:apiVersion: core.openstack.org/v1beta1 kind: OpenStackControlPlane metadata: name: openstack-control-plane spec: tls: ingress: enabled: true ca: customIssuer: <issuer_name> ...where:
<issuer_name>- Specifies the name of your custom issuer. This matches the issuer created in the first step.
If your custom issuer is an internal issuer, the custom issuer is defined at the pod level under the
internalattribute as shown below:apiVersion: core.openstack.org/v1beta1 kind: OpenStackControlPlane metadata: name: myctlplane spec: tls: ingress: enabled: true podLevel: enabled: true internal: ca: customIssuer: <issuer_name>where:
<issuer_name>- Specifies the name of your custom issuer. This matches the issuer created in the first step.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}