OPENSHIFT-ADD-CA-BUNDLE: Difference between revisions
		
		
		
		
		
		Jump to navigation
		Jump to search
		
				
		
		
	
| No edit summary | |||
| (9 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| [[File:Untrusted-CA-without-CERTMANAGER.drawio.png]] | |||
| < | ==light code== | ||
| #https://infocepo.com/wiki/index.php/OPENSHIFT-ADD-CA-BUNDLE | |||
|  domainName= | |||
| <syntaxhighlight lang="bash"> | |||
| domainVariableName=$(echo ${domainName} |tr '.' '-' ) | |||
| echo | openssl s_client -connect ${domainName}:443 -servername ${domainName} -showcerts 2>/dev/null |openssl x509 -outform PEM |tee ./${domainVariableName}-ca.crt | |||
| oc create configmap ${domainVariableName}-ca -n openshift-config \ | |||
| --from-file=${domainVariableName}-ca.crt=./${domainVariableName}-ca.crt | |||
| oc patch proxy/cluster --type=merge -p '{"spec":{"trustedCA":{"name":"'${domainVariableName}'-ca"}}}' | |||
| </syntaxhighlight> | |||
| ===To PODS=== | |||
| #https://docs.openshift.com/container-platform/4.12/networking/configuring-a-custom-pki.html | |||
| #https://github.com/openshift/openshift-docs/blob/main/modules/certificate-injection-using-operators.adoc | |||
| #https://docs.openshift.com/container-platform/4.9/security/certificates/updating-ca-bundle.html | |||
| #https://lzone.de/blog/Adding-custom-CA-certificates-in-Openshift | |||
| <syntaxhighlight lang="bash"> | |||
| apiVersion: v1 | |||
| kind: ConfigMap | |||
| metadata: | |||
|   name: user-ca-bundle | |||
|   namespace: openshift-config | |||
| data: | |||
|   ca-bundle.crt: | | |||
|     -----BEGIN CERTIFICATE----- | |||
|     Custom CA certificate bundle. | |||
|     -----END CERTIFICATE----- | |||
| </syntaxhighlight> | |||
| ==ynotopec + CHATGPT4== | |||
| The following script automates the process of fetching the CA bundle, creating a ConfigMap, and updating the cluster-wide proxy configuration in OpenShift. It assumes that you have already logged in to the OpenShift cluster with the oc CLI tool and have the necessary permissions. | The following script automates the process of fetching the CA bundle, creating a ConfigMap, and updating the cluster-wide proxy configuration in OpenShift. It assumes that you have already logged in to the OpenShift cluster with the oc CLI tool and have the necessary permissions. | ||
| Line 51: | Line 83: | ||
| Make sure to replace https://example.com with the URL you want to retrieve the CA bundle from. The script will fetch the CA bundle, create a ConfigMap in the openshift-config namespace, and update the cluster-wide proxy configuration to include the new CA bundle. | Make sure to replace https://example.com with the URL you want to retrieve the CA bundle from. The script will fetch the CA bundle, create a ConfigMap in the openshift-config namespace, and update the cluster-wide proxy configuration to include the new CA bundle. | ||
Latest revision as of 22:35, 18 April 2023
light code
domainName=
domainVariableName=$(echo ${domainName} |tr '.' '-' )
echo | openssl s_client -connect ${domainName}:443 -servername ${domainName} -showcerts 2>/dev/null |openssl x509 -outform PEM |tee ./${domainVariableName}-ca.crt
oc create configmap ${domainVariableName}-ca -n openshift-config \
--from-file=${domainVariableName}-ca.crt=./${domainVariableName}-ca.crt
oc patch proxy/cluster --type=merge -p '{"spec":{"trustedCA":{"name":"'${domainVariableName}'-ca"}}}'
To PODS
- https://docs.openshift.com/container-platform/4.12/networking/configuring-a-custom-pki.html
- https://github.com/openshift/openshift-docs/blob/main/modules/certificate-injection-using-operators.adoc
- https://docs.openshift.com/container-platform/4.9/security/certificates/updating-ca-bundle.html
- https://lzone.de/blog/Adding-custom-CA-certificates-in-Openshift
apiVersion: v1
kind: ConfigMap
metadata:
  name: user-ca-bundle
  namespace: openshift-config
data:
  ca-bundle.crt: |
    -----BEGIN CERTIFICATE-----
    Custom CA certificate bundle.
    -----END CERTIFICATE-----
ynotopec + CHATGPT4
The following script automates the process of fetching the CA bundle, creating a ConfigMap, and updating the cluster-wide proxy configuration in OpenShift. It assumes that you have already logged in to the OpenShift cluster with the oc CLI tool and have the necessary permissions.
#!/bin/bash
# Check if URL is provided
if [ -z "$1" ]; then
  echo "Usage: $0 <URL>"
  exit 1
fi
# Extract the domain from the URL
domain=$(echo $1 | awk -F[/:] '{print $4}')
# Get the certificate chain
cert_chain=$(echo | openssl s_client -connect ${domain}:443 -servername ${domain} -showcerts 2>/dev/null)
# Create the CA bundle file and empty it
ca_bundle_file="ca-bundle.crt"
> $ca_bundle_file
# Extract and append each certificate to the CA bundle
echo "$cert_chain" | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/{print > "tmp.crt"; print "Appended certificate to ca-bundle.crt"}'
# Append each certificate to the CA bundle
while read cert; do
  cat "tmp.crt" >> $ca_bundle_file
done < "tmp.crt"
# Remove temporary file
rm "tmp.crt"
# Create a ConfigMap containing the CA bundle in the openshift-config namespace
oc create configmap custom-ca-bundle -n openshift-config --from-file=ca-bundle.crt=./ca-bundle.crt
# Update the cluster-wide proxy configuration to include the custom CA bundle
oc patch proxy/cluster --type=merge -p '{"spec":{"trustedCA":{"name":"custom-ca-bundle"}}}'
echo "CA bundle added to the OpenShift cluster and trusted cluster-wide."
Save the script in a file (e.g., add_ca_bundle_to_openshift.sh) and make it executable using:
chmod +x add_ca_bundle_to_openshift.sh
Then you can run the script with the URL as an argument:
./add_ca_bundle_to_openshift.sh https://example.com
Make sure to replace https://example.com with the URL you want to retrieve the CA bundle from. The script will fetch the CA bundle, create a ConfigMap in the openshift-config namespace, and update the cluster-wide proxy configuration to include the new CA bundle.
