![](https://static.wixstatic.com/media/nsplsh_6a4e6b51547a524d666477~mv2_d_3840_5760_s_4_2.jpg/v1/fill/w_147,h_221,al_c,q_80,usm_0.66_1.00_0.01,blur_2,enc_auto/nsplsh_6a4e6b51547a524d666477~mv2_d_3840_5760_s_4_2.jpg)
A couple of years ago at a meetup I talked about using cert-manager on OpenShift. At the time I used the Kubernetes Ingress object with cert-manager as it is directly supported by cert-manager. Unfortunately, OpenShift Routes are not supported by cert-manager even though someone made a PR to support them.
Fortunately for the OpenShift community this PR led to the creation of cert-utils-operator which patches OpenShift Routes with the Certificate generated from cert-manager.
ALL OF THIS because OpenShift Routes do not support TLS via k8s secrets.
I will also be using Venafi Cloud as the CA for this integration. Venafi has a pretty awesome API and it offers a wide variety of integrations which also includes a Terraform provider.
Now, with that out of the way, I'm going to write about how to configure cert-manager with Venafi for OpenShift routes with the help of the cert-utils-operator.
Install cert-manager
The installation of cert-manager is pretty straightforward. Just do this:
$ oc create namespace cert-manager
$ oc apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.yaml
Install cert-utils-operator
I installed it via Helm:
$ oc new-project cert-utils-operator
$ helm repo add cert-utils-operator https://redhat-cop.github.io/cert-utils-operator
$ helm repo update
$ helm install cert-utils-operator cert-utils-operator/cert-utils-operator
Setting up Venafi Cloud for cert-manager
There's a series of easy steps that need to be done as pre-requisites for the cert-manager integration. Steps for Venafi TPP are quite similar.
Create an Issuing template:
Click on Settings -> Issuing Templates -> Create a new Issuing Template
I went with the default Venafi built-in CA
![](https://static.wixstatic.com/media/560cc6_43e249a42e6d44aabe31c594115eceef~mv2.png/v1/fill/w_49,h_29,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/560cc6_43e249a42e6d44aabe31c594115eceef~mv2.png)
Create an Application:
Create a new Applications by navigating to Organizations->Applications. Choose the previously create Issuing Template when creating it.
![](https://static.wixstatic.com/media/560cc6_d766755380fa4828b793d5ff741c6e24~mv2.png/v1/fill/w_49,h_29,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/560cc6_d766755380fa4828b793d5ff741c6e24~mv2.png)
Get API keys:
Next, grab API keys for to create it with a kubernetes secret. Go to the newly created Application and click on API tools and then Kubernetes. You will see the kubectl command auto-generated with the API token:
![](https://static.wixstatic.com/media/560cc6_590cc80e50774828b7c51933ddab4c60~mv2.png/v1/fill/w_49,h_29,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/560cc6_590cc80e50774828b7c51933ddab4c60~mv2.png)
Configure cert-manager
Create the Secret:
Copy the command to create the k8s secret. Create it in the namespace where certs are needed. I create them in a namespace called weather:
kubectl create secret generic venafi-cloud-secret \
--namespace='weather' \
--from-literal=apikey='blahlblahblah'
Create the Issuer:
Create the Issuer for Venafi cloud in the namespace where the certs are needed. You can also create a ClusterIssuer to make things more automated.
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: venafi-cloud-issuer
spec:
venafi:
zone: "certmanager\\cert-manager-it"
cloud:
apiTokenSecretRef:
name: venafi-cloud-secret
key: apikey
$ kubectl | oc apply -f issuer.yaml -n weather
Create the Certificate:
Create the certificate to reference the issuer:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: weather-certificate
spec:
secretName: weather-certificate
commonName: weather.apps.ocp.stackhack.ca
dnsNames:
- weather.apps.ocp.stackhack.ca
issuerRef:
name: venafi-cloud-issuer
$ kubectl | oc apply -f certificate.yaml -n weather
Once the certificate is created, it should automatically generate the secret containing the certificate:
$ kubectl | oc get secrets -n weather | grep weather
weather-tls kubernetes.io/tls 3 5s
If you've made it thus far, everything is good to go to inject this secret into the route.
Create the Route:
Finally, let's create the Route to automatically inject the TLS cert from the secret. Note the annotations here. This is where cert-utils-operator is coming to play to inject the secret into the Route. This will not work without these annotations on OpenShift Routes.
apiVersion: route.openshift.io/v1
kind: Route
metadata:
annotations:
cert-utils-operator.redhat-cop.io/certs-from-secret: weather-tls
cert-utils-operator.redhat-cop.io/inject-CA: "false"
labels:
app: weather-app
app.kubernetes.io/component: weather-app
app.kubernetes.io/instance: weather-app
name: weather
spec:
host: weather.apps.ocp.stackhack.ca
port:
targetPort: 8080-tcp
tls:
insecureEdgeTerminationPolicy: None
termination: edge
to:
kind: Service
name: weather-app
weight: 100
wildcardPolicy: None
$ kubectl | oc apply -f route.yaml -n weather
Navigate to the URL and check out the cert:
![](https://static.wixstatic.com/media/560cc6_d0c8e9ded30743d38a08583424041549~mv2.png/v1/fill/w_49,h_29,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/560cc6_d0c8e9ded30743d38a08583424041549~mv2.png)
Expand the cert to make sure its the right CA:
![](https://static.wixstatic.com/media/560cc6_291ef1a375a0487aa4170e2677d82db1~mv2.png/v1/fill/w_49,h_33,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/560cc6_291ef1a375a0487aa4170e2677d82db1~mv2.png)
Let me know if there are any questions! The code used in the blog is on this repo here
fin.