|
1 | | -# le-operator |
| 1 | +# le-operator |
| 2 | + |
| 3 | +This is a noperator to auomatically renew certificates of OpenShift routes. |
| 4 | + |
| 5 | +It's currently not considered production-ready and is only built to show-case how simple it is to implement such an operator with [Operator SDK](https://sdk.operatorframework.io/) and [lego](https://github.com/go-acme/lego). |
| 6 | + |
| 7 | +# Usage |
| 8 | + |
| 9 | +Install to your cluster by running `make docker-build docker-push deploy IMG=your/docker-repository`, where you specify the image registry to push to with the `IMG` variable. |
| 10 | + |
| 11 | +Create an EncryptedDomain resource to match all routes of your system for which you want to automatically renew certificates: |
| 12 | + |
| 13 | +``` |
| 14 | +apiVersion: letsencrypt.operatingopenshift.org/v1beta1 |
| 15 | +kind: EncryptedDomain |
| 16 | +metadata: |
| 17 | + name: encrypteddomain-sample |
| 18 | + namespace: default |
| 19 | +spec: |
| 20 | + matchingHostnames: "^my-route.apps.mycluster.com$" |
| 21 | + caDir: "https://acme-staging-v02.api.letsencrypt.org/directory" |
| 22 | + RegistrationMail: "[email protected]" |
| 23 | +``` |
| 24 | + |
| 25 | +Le-operator will find all routes matching the hostname and care for certificate renewal using the ACME protocol against the provided directory. |
| 26 | + |
| 27 | +The matchingHostnames property is a regex that you can use to customize which routes should be managed by this EncryptedDomain CR. |
| 28 | +Le-operator will create a separate domain for each route matching the regex. |
| 29 | +It as well supports managing multiple routes with the same hostname, typically used for [path-based routing](https://docs.openshift.com/container-platform/4.9/networking/routes/route-configuration.html#nw-path-based-routes_route-configuration). |
| 30 | + |
| 31 | +The above example uses the [let's encrypt staging environment](https://letsencrypt.org/docs/staging-environment/). |
| 32 | + |
| 33 | + |
| 34 | +# Development |
| 35 | + |
| 36 | +For development, you can deploy a [Pebble](https://github.com/letsencrypt/pebble) instance to an OpenShift cluster by applying the file in [Pebble deployment](hack/pebble.yaml). |
| 37 | + |
| 38 | +That allows as well to test the workflow with a cluster that is not publicly reachable, such as a [CRC](https://github.com/code-ready/crc) cluster. |
| 39 | + |
| 40 | +Use it's service as configuration in the `EncryptedDomain` CR: |
| 41 | + |
| 42 | +``` |
| 43 | +apiVersion: letsencrypt.operatingopenshift.org/v1beta1 |
| 44 | +kind: EncryptedDomain |
| 45 | +metadata: |
| 46 | + name: encrypteddomain-sample |
| 47 | + namespace: default |
| 48 | +spec: |
| 49 | + matchingHostnames: "^my-route.apps-crc.testing$" |
| 50 | + caDir: "https://pebble:14000/dir" |
| 51 | + RegistrationMail: "[email protected]" |
| 52 | +``` |
0 commit comments