Upgrade of Openshift certificates

Description

The status.ovirt.org certificates expires in April; we have some time but it would be nice to replace Digicert by Let's Encrypt. I see that the cert-manager operator can do that but I have no experience with such integration. It seems like the way to go though (or with another implementation).

I would like to point out that we would need support for HTTP01. DNS01 would be nice but unless we convert the ovirt.org domain fully into a dynamic zone, which I do not recommend, there is an option to use CNAMEs to a dynamic sub-zone; it works fine but it is not yet merged upstream (see https://github.com/certbot/certbot/pull/7244).

Activity

Show:
Evgheni Dereveanchin
February 21, 2020, 9:43 AM

status.ovirt.org is running inside OpenShift and we’ve got openshift-acme working there to issue Let’sEncrypt certs to routes that need them.

 

The metadata required to activate the controller on a certain route is listed here:

https://ovirt-infra-docs.readthedocs.io/en/latest/Phoenix_Lab/OpenShift/index.html#enabling-opensift-acme-on-a-route

 

I’ve performed the steps so now the certificate is provided by Let’s Encrypt and managed by the controller.

 

Done

Assignee

Evgheni Dereveanchin

Reporter

Marc Dequènes (Duck)

Blocked By

None

Priority

Low
Configure