An Operator for Automated Certificate Lifecycle in OpenShift
Prerequisites
Installation
git clone [this repo]
dep ensure
Local Run for Development
oc login ...
oc new-project cert-operator
export OPERATOR_NAME=cert-operator
operator-sdk up local
Running Test Cases
oc login ...
oc new-project cert-operator-test
export OPERATOR_NAME=cert-operator
operator-sdk test local ./test/e2e/ --namespace=cert-operator-test --up-local
Deployment to OpenShift
oc process -f build/build.yml | oc apply -f-
oc apply -f deploy/service_account.yaml
oc apply -f deploy/role.yaml
oc apply -f deploy/role_binding.yaml
oc apply -f deploy/deployment.yaml
Configuration
The operator is configured via a combination of environment variables and a configuration file. The majority of the config can be placed in a YAML
formatted config file. The configuration file is loaded by searching in the following locations, with those at the top taking priority:
-
value of
CERT_OP_CONFIG
environment variable -
/etc/cert-operator/config.yml
General Config
The cert operator uses annotations on the various resources it manages to decide what actions are required. The annotations that are used are configurable via the config file. The default values are as follows:
general:
annotations:
status: openshift.io/cert-ctl-status
status-reason: openshift.io/cert-ctl-status-reason
expiry: openshift.io/cert-ctl-expires
format: openshift.io/cert-ctl-format
Certificate Providers
The cert operator provides a pluggable architecture for supporting multiple certificate providers. The following is the set of current and planned providers.
-
✓ NoneProvider(
none
) - A mock provider for testing which returns empty values -
✓ SelfSignedProvider(
self-signed
) - Delivers self-signed certificates -
❏ LetsEncryptProvider(
lets-encrpyt
) - A free and open public CA -
❏ FreeIPAProvider(
ipa
) - An open source identity management system -
[X] VenafiProvider(
venafi
) - An Enterprise PKI product
Configuring which provider is used is a matter of adding the following to your config.yml:
provider:
kind: <name>
ssl: <true/false>
Certificate Formats
This operator currently supports the following certificate formats.
Notifications
This operator currently supports sending notifications via ChatOps. The following is the set of current and planned providers.
-
✓ Slack
-
❏ RocketChat
To configure sending notifications, set the following environment variables:
NOTIFIER_TYPE="slack"
<NOTIFIER>_WEBHOOK_URL="https://example.webhook.com/bla/blah"
Testing Functionality
This operator will create certificates for routes and services. To test this functionality, first create a new application.
oc new-app --template dotnet-example
Create a Certificate for a Route
Annotate the route to tell the operator it needs a cert.
oc annotate route dotnet-example openshift.io/cert-ctl-status=new --overwrite
In the logs for your operator, you’ll see something like:
{"level":"info","ts":1553713448.1514533,"logger":"controller_route","msg":"Reconciling Route","Request.Namespace":"cert-operator","Request.Name":"dotnet-example"}
{"level":"info","ts":1553713448.2551682,"logger":"controller_route","msg":"Updated route with new certificate","Request.Namespace":"cert-operator","Request.Name":"dotnet-example"}
Then, if you take a look at your dotnet-example
route, you’ll see that it has been update with a TLS Edge policy.
$ oc get route dotnet-example -o yaml
apiVersion: route.openshift.io/v1
kind: Route
metadata:
annotations:
openshift.io/managed.cert: "secured"
...
name: dotnet-example
spec:
...
tls:
certificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
key: |
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
termination: edge
...
Create a Certificate for a Service (SSL-to-Pod)
Annotate the service to tell the operator it needs a cert. The default certificate format will be PEM unless you first create an annotation of "openshift.io/cert-ctl-format" with a Supported Certificate Formats above.
oc annotate service dotnet-example openshift.io/cert-ctl-status=new --overwrite
In the logs for your operator, you’ll see something like:
{"level":"info","ts":1553715427.6889565,"logger":"controller_service","msg":"Reconciling Service","Request.Namespace":"cert-operator","Request.Name":"dotnet-example"}
{"level":"info","ts":1553715427.8858836,"logger":"controller_service","msg":"Updated service with new certificate","Request.Namespace":"cert-operator","Request.Name":"dotnet-example"}
Look to see that a new secret has been created in your project.
$ oc get secret | grep dotnet-example
dotnet-example-certificate Opaque 2 23m
You’ll also notice that the annotation on the service has changed.
$ oc get service dotnet-example -o jsonpath='{.metadata.annotations.openshift\.io/cert-ctl-status}'
secured
Create a Certificate for a Service (SSL-to-Pod) PKCS12 format
Annotate the service to tell the operator it needs a cert. The default certificate format will be PEM unless you first create an annotation of format "openshift.io/cert-ctl-format"
oc annotate service dotnet-example openshift.io/cert-ctl-format=pkcs12 --overwrite
oc annotate service dotnet-example openshift.io/cert-ctl-status=new --overwrite
You will notice two entries in the secret "tls.p12" and "tls-p12-secret.txt"