OPENSHIFT-ADD-CA-BUNDLE: Difference between revisions

From Essential
Jump to navigation Jump to search
(Undo revision 1465 by Tcepo (talk))
Tag: Undo
Line 3: Line 3:
#https://infocepo.com/wiki/index.php/OPENSHIFT-ADD-CA-BUNDLE
#https://infocepo.com/wiki/index.php/OPENSHIFT-ADD-CA-BUNDLE


  domainName=console-openshift-console.apps.ocp4-6.infocepo.com
  domainName=


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
Line 9: Line 9:


# Get the certificate chain
# Get the certificate chain
echo | openssl s_client -connect ${domainName}:443 -servername ${domainName} -showcerts 2>/dev/null | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' |tee ${domainVariableName}-ca-bundle.crt
echo | openssl s_client -connect ${domainName}:443 -servername ${domainName} -showcerts 2>/dev/null | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' |tee ./${domainVariableName}-ca-bundle.crt
oc create configmap ${domainVariableName}-ca-bundle -n openshift-config \
oc create configmap ${domainVariableName}-ca-bundle -n openshift-config \
--from-file=${domainName}=$(realpath ~/${domainVariableName}-ca-bundle.crt )
--from-file=${domainName}=./${domainVariableName}-ca-bundle.crt
oc patch proxy/cluster --type=merge -p '{"spec":{"trustedCA":{"name":"'${domainVariableName}'-ca-bundle"}}}'
oc patch proxy/cluster --type=merge -p '{"spec":{"trustedCA":{"name":"'${domainVariableName}'-ca-bundle"}}}'
</syntaxhighlight>
</syntaxhighlight>
Line 33: Line 33:
     -----END CERTIFICATE-----
     -----END CERTIFICATE-----
</syntaxhighlight>
</syntaxhighlight>
==ynotopec + CHATGPT4==
==ynotopec + CHATGPT4==
The following script automates the process of fetching the CA bundle, creating a ConfigMap, and updating the cluster-wide proxy configuration in OpenShift. It assumes that you have already logged in to the OpenShift cluster with the oc CLI tool and have the necessary permissions.
The following script automates the process of fetching the CA bundle, creating a ConfigMap, and updating the cluster-wide proxy configuration in OpenShift. It assumes that you have already logged in to the OpenShift cluster with the oc CLI tool and have the necessary permissions.

Revision as of 11:08, 18 April 2023

Untrusted-CA-without-CERTMANAGER.drawio.png

light code

  1. https://infocepo.com/wiki/index.php/OPENSHIFT-ADD-CA-BUNDLE
domainName=
domainVariableName=$(echo ${domainName} |tr '.' '-' )

# Get the certificate chain
echo | openssl s_client -connect ${domainName}:443 -servername ${domainName} -showcerts 2>/dev/null | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' |tee ./${domainVariableName}-ca-bundle.crt
oc create configmap ${domainVariableName}-ca-bundle -n openshift-config \
--from-file=${domainName}=./${domainVariableName}-ca-bundle.crt
oc patch proxy/cluster --type=merge -p '{"spec":{"trustedCA":{"name":"'${domainVariableName}'-ca-bundle"}}}'

To PODS

  1. https://docs.openshift.com/container-platform/4.12/networking/configuring-a-custom-pki.html
  2. https://github.com/openshift/openshift-docs/blob/main/modules/certificate-injection-using-operators.adoc
  3. https://docs.openshift.com/container-platform/4.9/security/certificates/updating-ca-bundle.html
  4. https://lzone.de/blog/Adding-custom-CA-certificates-in-Openshift
apiVersion: v1
kind: ConfigMap
metadata:
  name: user-ca-bundle
  namespace: openshift-config
data:
  ca-bundle.crt: |
    -----BEGIN CERTIFICATE-----
    Custom CA certificate bundle.
    -----END CERTIFICATE-----

ynotopec + CHATGPT4

The following script automates the process of fetching the CA bundle, creating a ConfigMap, and updating the cluster-wide proxy configuration in OpenShift. It assumes that you have already logged in to the OpenShift cluster with the oc CLI tool and have the necessary permissions.

#!/bin/bash

# Check if URL is provided
if [ -z "$1" ]; then
  echo "Usage: $0 <URL>"
  exit 1
fi

# Extract the domain from the URL
domain=$(echo $1 | awk -F[/:] '{print $4}')

# Get the certificate chain
cert_chain=$(echo | openssl s_client -connect ${domain}:443 -servername ${domain} -showcerts 2>/dev/null)

# Create the CA bundle file and empty it
ca_bundle_file="ca-bundle.crt"
> $ca_bundle_file

# Extract and append each certificate to the CA bundle
echo "$cert_chain" | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/{print > "tmp.crt"; print "Appended certificate to ca-bundle.crt"}'

# Append each certificate to the CA bundle
while read cert; do
  cat "tmp.crt" >> $ca_bundle_file
done < "tmp.crt"

# Remove temporary file
rm "tmp.crt"

# Create a ConfigMap containing the CA bundle in the openshift-config namespace
oc create configmap custom-ca-bundle -n openshift-config --from-file=ca-bundle.crt=./ca-bundle.crt

# Update the cluster-wide proxy configuration to include the custom CA bundle
oc patch proxy/cluster --type=merge -p '{"spec":{"trustedCA":{"name":"custom-ca-bundle"}}}'

echo "CA bundle added to the OpenShift cluster and trusted cluster-wide."

Save the script in a file (e.g., add_ca_bundle_to_openshift.sh) and make it executable using:

chmod +x add_ca_bundle_to_openshift.sh

Then you can run the script with the URL as an argument:

./add_ca_bundle_to_openshift.sh https://example.com

Make sure to replace https://example.com with the URL you want to retrieve the CA bundle from. The script will fetch the CA bundle, create a ConfigMap in the openshift-config namespace, and update the cluster-wide proxy configuration to include the new CA bundle.