You can replace the default ingress certificate for all
applications under the .apps subdomain. After you replace
the certificate, all applications, including the web console
and CLI, will have encryption provided by specified certificate.
-
You must have a wildcard certificate and its private key, both in the PEM format, for use.
-
The certificate must have a
subjectAltNameextension of*.apps.<clustername>.<domain>.
-
Create a ConfigMap that includes the certificate authority used to signed the new certificate:
$ oc create configmap custom-ca \ --from-file=ca-bundle.crt=</path/to/example-ca.crt> \//(1) -n openshift-config-
</path/to/example-ca.crt>is the path to the certificate authority file on your local file system.
-
-
Update the cluster-wide proxy configuration with the newly created ConfigMap:
$ oc patch proxy/cluster \ --type=merge \ --patch='{"spec":{"trustedCA":{"name":"custom-ca"}}}' -
Create a secret that contains the wildcard certificate and key:
$ oc create secret tls <certificate> \//(1) --cert=</path/to/cert.crt> \//(2) --key=</path/to/cert.key> \//(3) -n openshift-ingress-
<certificate>is the name of the secret that will contain the certificate and private key. -
</path/to/cert.crt>is the path to the certificate on your local file system. -
</path/to/cert.key>is the path to the private key associated with this certificate.
-
-
Update the Ingress Controller configuration with the newly created secret:
$ oc patch ingresscontroller.operator default \ --type=merge -p \ '{"spec":{"defaultCertificate": {"name": "<certificate>"}}}' \//(1) -n openshift-ingress-operator-
Replace
<certificate>with the name used for the secret in the previous step.
-