피드 구독

Have you always wanted to configure your local or development Red Hat OpenShift cluster with self-signed certificates but found it too difficult and nerve-wracking?

Many articles and tutorials assume you are working with a certificate authority (CA) organization–but what if you're not? You probably don't want to purchase a domain name and pay fees to your CA just for local development. This article covers custom certificates with a private CA within the boundaries of your home lab or LAN, free and simple.

Its official page describes mkcert as "a simple tool for making locally trusted development certificates. It requires no configuration." mkcert creates a local CA in your system truststore and is probably available for your favorite operating system.

Getting ready to deploy mkcert

Here's how to use the tools below to configure an OpenShift cluster with local trusted certificates:

Requirements:

  • mkcert binary
  • OpenShift cluster with version >= 4.10
  • oc binary
  • OpenSSL

Note: OpenSSL is a powerful tool for managing certificates. It is available by default on Linux and macOS. You need little to no knowledge of OpenSSL for this article.

Workflow:

  1. Install mkcert
  2. Create a certificate signing request using OpenSSL
  3. Create and patch OpenShift's resources

mkcert deployment and configuration steps

Step 1: Install mkcert. This step creates a local CA in your system truststore:

% mkcert -install

Next, create a certificate signing request with the OpenShift default ingress wildcard domain. This typically follows the pattern: *.apps.cluster-name.example.com.

% openssl req -out ingress.csr -new -newkey rsa:4096 -nodes -keyout ingresskey.pem -subj "/C=US/ST=College Station/L=Texas/O=Home/OU=lab/CN=*.apps.sno.homelab.com"
Screenshot of a terminal window showing the results of the previous command

The following files are created:

  1. Ingress.csr - My certificate signing request.
  2. Ingresskey.pem - The csr associated private key.

Step 2: Sign the CSR with mkcert. This will produce your public key:

% mkcert -csr ingress.csr
Screenshot of a terminal window showing the results of the previous command

You're done with certificates!

Configure the cluster

Next, make your cluster aware of your certs. You will create secrets and patch your proxy and ingress controller. You can check the prerequisites for configuring a cluster with custom certificates here (but you should be fine with what you have if you've followed along).

Step 3: Create your local rootCA configmap. This is your mkcert rootCA public key. Find its location directory with the mkcert -CAROOT command. It is named rootCA.pem:

% oc create configmap homelab-ca --from-file=ca-bundle.crt=../../Library/Application\ Support/mkcert/rootCA.pem  -n openshift-config

Step 4: Create the secret containing your wildcard domain key pair:

% oc create secret tls homelab-cert --cert=_wildcard.apps.sno.homelab.com.pem --key=ingresskey.pem -n openshift-ingress

Step 5: Patch both the default proxy and ingress controller, respectively:

% oc patch proxy/cluster --type=merge --patch='{"spec":{"trustedCA":{"name":"homelab-ca"}}}' && oc patch ingresscontrollers.operator.openshift.io default --type=merge -p '{"spec":{"defaultCertificate": {"name": "homelab-cert"}}}' -n openshift-ingress-operator

You're done!

Give your cluster a little time to reconcile the changes, and then you should be able to log into the UI via HTTPS. Verify your certificate, and confirm that it is trusted and issued by mkcert.

Screenshot of logging into the UI via HTTPS

Wrap up

You may find it impractical to configure OpenShift clusters with certificates from public certificate authorities. The process is expensive and can be tedious. This article showed you how to use mkcert to create and manage self-signed certificates for internal use. This is perfect for home labs or test environments in small businesses. The configuration is straightforward, and the prerequisites are light—just mkcert, OpenShift and OpenSSL.

Try the steps above on your own OpenShift cluster configuration today to experience the ease and practicality of mkcert certificate management.


저자 소개

Abdoul Djire is a Senior OpenShift Engineer and Red Hat Certified Specialist in OpenShift Administration with a background in hybrid platforms and infrastructure automation. He is also a GitOps enthusiast and passionate about open source.

Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

채널별 검색

automation icon

오토메이션

기술, 팀, 인프라를 위한 IT 자동화 최신 동향

AI icon

인공지능

고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트

open hybrid cloud icon

오픈 하이브리드 클라우드

하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요

security icon

보안

환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보

edge icon

엣지 컴퓨팅

엣지에서의 운영을 단순화하는 플랫폼 업데이트

Infrastructure icon

인프라

세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보

application development icon

애플리케이션

복잡한 애플리케이션에 대한 솔루션 더 보기

Original series icon

오리지널 쇼

엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리