Lab 12.2 - Configure OKD Certificates

1. Log in to OKD with the admin user

oc login -u admin -p rahasia

2. Configure API Server certificate

cd /root/certificate
oc create secret tls custom-tls --cert combined-cert.pem --key wildcard.key -n openshift-config

oc patch apiserver cluster \
     --type=merge -p \
     '{"spec":{"servingCerts": {"namedCertificates":
     [{"names": [""], 
     "servingCertificate": {"name": "custom-tls"}}]}}}' 

oc get apiserver cluster -o yaml

3. Configure cluster proxy

oc create configmap combined-certs --from-file ca-bundle.crt=combined-cert.pem -n openshift-config
oc patch proxy/cluster --type=merge -p '{"spec":{"trustedCA":{"name":"combined-certs"}}}'
oc get proxy/cluster -o yaml

4. Configure ingress controller

oc create secret tls custom-tls-bundle --cert combined-cert.pem --key wildcard.key -n openshift-ingress
oc patch ingresscontroller.operator default --type=merge -p '{"spec":{"defaultCertificate": {"name": "custom-tls-bundle"}}}' -n openshift-ingress-operator
oc get pods -n openshift-ingress -w

# Wait until all pods running

5. If the pods, not running yet. Make sure that the node's states are ready, not SchedulingDisabled

oc get nodes
oc adm uncordon 
oc adm uncordon 

6. Re-test EndPoint using CURL


7. Copy CA certificate, and save it on your laptop

cat /etc/pki/tls/certs/rootCA-crt.pem

8. Import the CA certificate:

  • Open Chrome > click setting > click security > manage certificates > click tab authorities > click import > and choose the certificate
  • Open Firefox > click preferences > privacy & security > scroll down and click view certificates > Click tab authorities > click import > and choose the certificate

And then you will see that all of the sites under are secure