 Hey everybody, this is Grant your friendly neighborhood OpenShift team member yesterday I created a video that shows how quick and easy it is to install okd 3.10 on your local machine or on bare metal or a virtual machine now okd is the community Distribution of Kubernetes, and it's also the upstream project that powers red hat OpenShift container platform After I posted the video yesterday in the comments section I got some requests to add a SSL certificate to the console By default when you install okd, it uses a self-signed certificate So what happens when you want to actually use a custom hostname as well as a real certificate? So I'll put the link to that video showing how to install it in the description below But today we're going to focus on installing that SSL certificate now. I'm doing a lot of this by memory I do not have this written down So you'll have to bear with me as I go through this so the first thing we want to do is open up our terminal window and Increase the font size here a little bit so everyone can see it fine Now if you recall from yesterday's video the IP address was dot one four on My local network, so I'm just going to SSH into that machine 192 168 dot zero dot one four And I'm going to authenticate and Now that I'm on my OpenShift box First thing I want to do is we see we have this install sent us repository. That's what we use to Install okd yesterday Now we're going to use cert bot to generate a let's encrypt certificate So the first thing we need to do is install cert bot and that comes from the EPEL rep repository Which is on your system after you run through the install script, but that repository is probably disabled so let's go ahead and look at our yum repos here and We can see that we have the EPEL repo here. So let's go ahead and edit that and Sure enough. It was not enabled. So let's enable that by changing the zero to a one there save that and now We want to do yum and install cert bot This will take just a second Now the way cert bot works is it Can stand up a temporary web server to verify or invalidate that you actually own and Are on the system that has that host name now The problem with that is that we have already installed OpenShift, right? And so OpenShift is listening on port 80 port 8443 and port 443 if you remember from that video so we actually need to Make it to where okd is not listening on those ports so that cert bot can stand up the temporary server to verify that Identity so to do that Let's see if I'm logged into my okd cluster with the OC who am I command? I am let's see what project we're in I'm in the project default. So let's look at our deployment configs We have a router that is running in a state of one pot. So let's go ahead and scale that down So we can say OC scale dash dash replicas equals zero and we want to scale down the DC of the router and We get a message saying that that has been scaled down. So let's verify that so now Nothing is listening on that port so we can go ahead and run cert bot So we just type in cert bot and it's gonna give us a message here saying that We can run it in cert only mode, which is what we want to do cert bot cert only so I'll hit enter there and It's gonna give me a few options here I want to spin up a temporary web web server So I'm gonna hit one and then it's going to ask me for my email address So I'll punch in my email address here and let's see what is going on here terms and service Let's agree to those do we want to share? No, I don't Okay, so please enter the domain name so The domain of my okd web console is console dot tech dope dot IO hit enter there and It's going to verify That I own that domain with that temporary web server and if everything went correctly We should see a congratulations message and we do your certificate and chain have been saved at this directory Okay, great. So let's go ahead and scale back up our router Okay, so now the router is back up now We need to change a few things in the install Sentos directory when you ran this the first time it created this inventory I and I file with everything filled out based on the Values that we entered in in the other video like our Domain name and so you can see that that the OpenShift public hostname for example is configured to console dot tech dope dot IO So I'm going to edit this file and this is where I'm going to cheat just a little bit Have this written down in visual studio code. So I'm going to paste this in and then I will cover it All right, so let's paste this in so the first thing we add is OpenShift master Overwrite name certificates. We set that to true since we're going to use our own certificate and then we specify our certificates the first is the cert file and Certbot placed the cert file for console dot tech dope dot IO in this directory named cert dot PIM We also provide the key file Which is my private key and then we add a name section to specify that this is for the console dot tech dope dot IO Hostname, okay, so we're going to save this now if you recall this install Dash OpenShift shell script actually just runs Ansible under the covers and so to apply this SSL certificate To the existing okd cluster installation that we have I simply need to run Ansible So what are the commands to do that? I'm just going to cap this install SH file and I'm going to grab for Ansible and The two file or the two commands we want is this first one, right? Let's just go ahead and run the prerequisites again just to make sure everything's still good And it's just going to go through and validate that I have everything on my system now Of course, we should because OpenShift is functioning properly on on this note that I haven't installed on So we'll let this finish up and then we're going to actually run The playbook that's actually going to replace the self-signed certificates with that custom SSL cert that I got from let's encrypt All right So that has finished we ran the prerequisites So let's go ahead and cap that again the install script and now we want to run the deploy cluster playbook Same thing we did during the install. So I'm gonna paste that in And my keyboard got stuck for a second. It kept repeating the the enter key. All right So it's gonna go through and run through the deploy cluster playbook And it's going to install that Certificate that we created with Surtbot and validated that's issued from let's encrypt All right, everybody. I'm back. Sorry. I lost track of time as you can see about Four hours of past on this lovely Friday evening here, but I remembered I was recording a video So what I did is this finished up installing Looks like everything was good. And then I went ahead and rebooted the box. Okay, so you may want to do that Also, during this install, I didn't even see that problem that I was mentioning earlier So you may or may not if you do see it where it gets hung on waiting for the API server to come back up just rerun the script and Everything should be working now. So let's go ahead and try this out Let's open up a new tab and let's go to HTTPS phone slash console dot tech dope dot I oh colon eight four four three and Look at that. Ladies and gentlemen pow Bob's your uncle okey-dokey. Everything's looking great here So we can see we have a verified by let's encrypt here So let's go ahead and look at the certificate console dot tech dope dot. I oh secure connection and It's verified by let's encrypt we can go ahead and look at this certificate and We can see that this certificate was applied correctly And now I will no longer get those self-signed certificate ruin it. So let's go ahead and log back in she should play password and password And we can see that open shift is back up and running or sorry Okay, D is back up and running. So anyway, that's how you apply a real certificate to your open shift Slash okay D cluster. I hope you enjoyed this video. Have a good weekend everybody