OPENSHIFT-ADD-CA-BUNDLE

From Essential
Revision as of 08:20, 18 April 2023 by Tcepo (talk | contribs)
Jump to navigation Jump to search

ynotopec + CHATGPT4

The following script automates the process of fetching the CA bundle, creating a ConfigMap, and updating the cluster-wide proxy configuration in OpenShift. It assumes that you have already logged in to the OpenShift cluster with the oc CLI tool and have the necessary permissions.

#!/bin/bash

# Check if URL is provided
if [ -z "$1" ]; then
  echo "Usage: $0 <URL>"
  exit 1
fi

# Extract the domain from the URL
domain=$(echo $1 | awk -F[/:] '{print $4}')

# Get the certificate chain
cert_chain=$(echo | openssl s_client -connect ${domain}:443 -servername ${domain} -showcerts 2>/dev/null)

# Create the CA bundle file and empty it
ca_bundle_file="ca-bundle.crt"
> $ca_bundle_file

# Extract and append each certificate to the CA bundle
echo "$cert_chain" | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/{print > "tmp.crt"; print "Appended certificate to ca-bundle.crt"}'

# Append each certificate to the CA bundle
while read cert; do
  cat "tmp.crt" >> $ca_bundle_file
done < "tmp.crt"

# Remove temporary file
rm "tmp.crt"

# Create a ConfigMap containing the CA bundle in the openshift-config namespace
oc create configmap custom-ca-bundle -n openshift-config --from-file=ca-bundle.crt=./ca-bundle.crt

# Update the cluster-wide proxy configuration to include the custom CA bundle
oc patch proxy/cluster --type=merge -p '{"spec":{"trustedCA":{"name":"custom-ca-bundle"}}}'

echo "CA bundle added to the OpenShift cluster and trusted cluster-wide."

Save the script in a file (e.g., add_ca_bundle_to_openshift.sh) and make it executable using:

chmod +x add_ca_bundle_to_openshift.sh

Then you can run the script with the URL as an argument:

./add_ca_bundle_to_openshift.sh https://example.com

Make sure to replace https://example.com with the URL you want to retrieve the CA bundle from. The script will fetch the CA bundle, create a ConfigMap in the openshift-config namespace, and update the cluster-wide proxy configuration to include the new CA bundle.

To OPENSHIFT (light version)

  1. https://infocepo.com/wiki/index.php/OPENSHIFT-ADD-CA-BUNDLE
domainName=console-openshift-console.apps.ocp4-6.infocepo.com
domainVariableName=$(echo ${domainName} |tr '.' '-' )

# Get the certificate chain
echo | openssl s_client -connect ${domainName}:443 -servername ${domainName} -showcerts 2>/dev/null | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' |tee ${domainVariableName}-ca-bundle.crt
oc create configmap ${domainVariableName}-ca-bundle -n openshift-config \
--from-file=${domainName}=$(realpath ~/${domainVariableName}-ca-bundle.crt )
oc patch proxy/cluster --type=merge -p '{"spec":{"trustedCA":{"name":"'${domainVariableName}'-ca-bundle"}}}'