|
| 1 | +apiVersion: console.openshift.io/v1 |
| 2 | +kind: ConsoleQuickStart |
| 3 | +metadata: |
| 4 | + annotations: |
| 5 | + capability.openshift.io/name: Console |
| 6 | + include.release.openshift.io/ibm-cloud-managed: "true" |
| 7 | + include.release.openshift.io/self-managed-high-availability: "true" |
| 8 | + include.release.openshift.io/single-node-developer: "true" |
| 9 | + name: cert-manager-example |
| 10 | +spec: |
| 11 | + conclusion: |- |
| 12 | + Great job! You've successfully created your first Issuer and Certificate. |
| 13 | +
|
| 14 | + ### Next Steps: |
| 15 | +
|
| 16 | + - For production, use Let's Encrypt (ACME Issuer) instead of self-signed certificates |
| 17 | + - Explore ClusterIssuer for cluster-wide certificate management |
| 18 | + - Check out the [cert-manager documentation](https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/security_and_compliance/cert-manager-operator-for-red-hat-openshift) to learn more |
| 19 | + description: Create and issue TLS certificates using the cert-manager Operator for |
| 20 | + Red Hat OpenShift |
| 21 | + displayName: cert-manager Operator for Red Hat OpenShift Example |
| 22 | + durationMinutes: 10 |
| 23 | + introduction: |- |
| 24 | + # cert-manager Operator for Red Hat OpenShift |
| 25 | +
|
| 26 | + The cert-manager Operator for Red Hat OpenShift enables you to create and sign TLS certificates from an external PKI for your workloads |
| 27 | + running on an OpenShift cluster. |
| 28 | +
|
| 29 | + ### Expected Learning |
| 30 | +
|
| 31 | + With this Quick Start, you will learn about the following CRDs provided by the cert-manager operator: |
| 32 | + 1. **Issuer** - defines a certificate authority that can sign certificates |
| 33 | + 2. **Certificate** - defines the desired certificate and its properties |
| 34 | +
|
| 35 | + This Quick Start will walk you through creating your first certificate: |
| 36 | + - Create a self-signed Issuer (for testing) |
| 37 | + - Create a Certificate signed by that Issuer |
| 38 | + - View the generated certificate in a Kubernetes Secret |
| 39 | + - Learn how to use it in your applications |
| 40 | +
|
| 41 | + **Note**: For production, you would use Let's Encrypt (ACME), HashiCorp Vault, or your organization's CA instead of self-signed certificates. |
| 42 | + prerequisites: |
| 43 | + - You completed the "Install the cert-manager Operator for Red Hat OpenShift" quick |
| 44 | + start. |
| 45 | + - You have a namespace in which to deploy the example CRs. |
| 46 | + tags: |
| 47 | + - example |
| 48 | + - operator |
| 49 | + - certificates |
| 50 | + tasks: |
| 51 | + - description: |- |
| 52 | + ### To navigate to the installed operator: |
| 53 | + 1. Go to the **Installed Operators** from the [Ecosystem]{{highlight qs-nav-ecosystem}} section of the navigation. |
| 54 | + 2. In the **Search by name** field, type `cert-manager`. |
| 55 | + 3. Look for **cert-manager Operator for Red Hat OpenShift**. If you had completed the prerequisite Quick Start, the tile should appear. |
| 56 | + 4. Click on the installed operator |
| 57 | +
|
| 58 | + You will be brought to the **Operator Details** page and be presented with **Provided APIs** |
| 59 | + review: |
| 60 | + failedTaskHelp: This task isn't verified yet. Try the task again. |
| 61 | + instructions: |- |
| 62 | + #### Verify you see a list of **Provided APIs**: |
| 63 | + The list should include `Issuer`, `ClusterIssuer`, and `Certificate` |
| 64 | + summary: |
| 65 | + failed: Try the steps again. |
| 66 | + success: You are in the right place, and ready to start the rest of the Quick |
| 67 | + Start |
| 68 | + title: Navigate to installed cert-manager operator |
| 69 | + - description: |- |
| 70 | + ### Create or select a project to work in |
| 71 | + 1. Find the **Project** dropdown menu at the top of the screen. |
| 72 | + 2. Select or create the project in which you want to work in. |
| 73 | +
|
| 74 | + **Note**: For this example, we'll create an `Issuer` which is namespace-scoped. If you want to issue certificates |
| 75 | + across multiple namespaces, you can create a `ClusterIssuer` instead. |
| 76 | + review: |
| 77 | + failedTaskHelp: Try the task again. |
| 78 | + instructions: '#### Verify the name in the **Project** dropdown menu is the |
| 79 | + expected project' |
| 80 | + summary: |
| 81 | + failed: Try the steps again. |
| 82 | + success: You are in the right place. |
| 83 | + title: Select a project |
| 84 | + - description: |- |
| 85 | + ### To create a self-signed Issuer |
| 86 | +
|
| 87 | + An Issuer represents a certificate authority that can sign certificates. We'll create a self-signed Issuer |
| 88 | + for this example. This is useful for testing and development. |
| 89 | +
|
| 90 | + 1. Find the `Issuer` Custom Resource in the list of **Provided APIs** or in the top side-scrolling menu bar. |
| 91 | + - From the list of **Provided APIs**, click the **Create instance** link. |
| 92 | + - From the **top side-scrolling menu bar**, click **Issuer** and then click **Create Issuer**. |
| 93 | +
|
| 94 | + 2. Switch to **YAML view** in the editor. |
| 95 | +
|
| 96 | + 3. On the right sidebar, look for the **Samples** section and select **"Example Self-Signed Issuer"**. |
| 97 | +
|
| 98 | + 4. Click **Try it** to populate the editor with the sample YAML. |
| 99 | +
|
| 100 | + 5. Click the **Create** button to create the Issuer. |
| 101 | + review: |
| 102 | + failedTaskHelp: This task isn't verified yet. Try the task again. |
| 103 | + instructions: |- |
| 104 | + #### Verify the Issuer was successfully created: |
| 105 | + 1. You should see the Issuer listed with the name `selfsigned-issuer` |
| 106 | + 2. Check that the **Ready** condition shows **True** in the Conditions section |
| 107 | + summary: |
| 108 | + failed: Try the steps again. |
| 109 | + success: You just created a self-signed Issuer! Now we can create certificates. |
| 110 | + title: Create a self-signed Issuer |
| 111 | + - description: |- |
| 112 | + ### To create a Certificate |
| 113 | +
|
| 114 | + Now we'll create a certificate that will be signed by our Issuer. |
| 115 | +
|
| 116 | + 1. Find the `Certificate` Custom Resource in the list of **Provided APIs** or in the top side-scrolling menu bar. |
| 117 | + - From the list of **Provided APIs**, click the **Create instance** link. |
| 118 | + - From the **top side-scrolling menu bar**, click **Certificate** and then click **Create Certificate**. |
| 119 | +
|
| 120 | + 2. Switch to **YAML view** in the editor. |
| 121 | +
|
| 122 | + 3. On the right sidebar, look for the **Samples** section and select **"Example Certificate"**. |
| 123 | +
|
| 124 | + 4. Click **Try it** to populate the editor with the sample YAML. |
| 125 | +
|
| 126 | + 5. Click the **Create** button to create the Certificate. |
| 127 | + review: |
| 128 | + failedTaskHelp: This task isn't verified yet. Try the task again. |
| 129 | + instructions: |- |
| 130 | + #### Verify the Certificate was successfully created: |
| 131 | + 1. You should see the Certificate listed with the name `example-cert`. |
| 132 | + 2. Check that the **Ready** condition shows **True**. |
| 133 | + 3. Navigate to the [Workloads]{{highlight qs-nav-workloads}} section and click **Secrets** |
| 134 | + 4. You should see a new Secret named `example-tls`. |
| 135 | + summary: |
| 136 | + failed: Try the steps again. |
| 137 | + success: You just created your first certificate! cert-manager has issued it |
| 138 | + and stored it in a Secret. |
| 139 | + title: Create a Certificate |
| 140 | + - description: |- |
| 141 | + ### To inspect the certificate |
| 142 | +
|
| 143 | + Let's look at the Secret that contains the certificate. |
| 144 | +
|
| 145 | + 1. Make sure you're in the [Workloads]{{highlight qs-nav-workloads}} section, click **Secrets**. |
| 146 | + 2. Click on the **example-tls** Secret. |
| 147 | + 3. You should see the certificate data with keys: |
| 148 | + - `tls.crt` - The certificate. |
| 149 | + - `tls.key` - The private key. |
| 150 | + - `ca.crt` - The CA certificate. |
| 151 | + review: |
| 152 | + failedTaskHelp: This task isn't verified yet. Try the task again. |
| 153 | + instructions: |- |
| 154 | + #### Verify you can see the certificate data: |
| 155 | + Is the Secret `example-tls` present with `tls.crt` and `tls.key`? |
| 156 | + summary: |
| 157 | + failed: Try the steps again. |
| 158 | + success: Great! Your certificate is ready to use. |
| 159 | + title: View the certificate |
| 160 | + - description: |- |
| 161 | + ### How to use certificates |
| 162 | +
|
| 163 | + Now you can use this certificate in your applications. Here's a simple example for an OpenShift Route: |
| 164 | +
|
| 165 | + ```yaml |
| 166 | + apiVersion: route.openshift.io/v1 |
| 167 | + kind: Route |
| 168 | + metadata: |
| 169 | + name: my-app |
| 170 | + spec: |
| 171 | + to: |
| 172 | + kind: Service |
| 173 | + name: my-service |
| 174 | + tls: |
| 175 | + termination: edge |
| 176 | + externalCertificate: |
| 177 | + name: example-tls |
| 178 | + ``` |
| 179 | +
|
| 180 | + Or in an Ingress: |
| 181 | +
|
| 182 | + ```yaml |
| 183 | + apiVersion: networking.k8s.io/v1 |
| 184 | + kind: Ingress |
| 185 | + metadata: |
| 186 | + name: my-app |
| 187 | + spec: |
| 188 | + tls: |
| 189 | + - secretName: example-tls |
| 190 | + rules: |
| 191 | + - host: example.com |
| 192 | + ``` |
| 193 | +
|
| 194 | + **Note**: cert-manager will automatically renew certificates before they expire! |
| 195 | + review: |
| 196 | + failedTaskHelp: Review the examples above. |
| 197 | + instructions: |- |
| 198 | + #### Do you understand how to use certificates? |
| 199 | + Certificates can be referenced in Routes and Ingress resources. |
| 200 | + summary: |
| 201 | + failed: Review the examples again. |
| 202 | + success: You now know how to create and use certificates! |
| 203 | + title: Use the certificate |
![openshift-merge-bot[bot]](https://avatars.githubusercontent.com/in/412865?v=4&size=40){kind=avatar}
0 commit comments