learn by doing

Deploying all-in-one OKD 3.11 with Let's Encrypt SSL certificates

I’ve been experimenting with OpenShift lately and in the following post I’d like to document the steps required to get an OKD 3.11 environment up and running. For those who are not familiar with the OKD abbreviation it is “The Origin Community Distribution of Kubernetes that powers Red Hat OpenShift”. The deployment is going to be set up on a single node and configured to use Let’s Encrypt SSL certificates for the API endpoint/console and HTTPS routes.

The main purpose of this exercise is to:

  • get myself familiar with the openshift-ansible installer process
  • get an OpenShift environment connected to the Internet up and running that I can experiment with

Let’s get started.



** Get a beefy CentOS 7 VM ready. For this test I used one with 4 vCPUs, 16 GB of RAM and 50GB of storage. The specs could be lowered but you may need to disable specific checks the installer runs.

DNS configuration

** I’m going to use ‘’ as the domain name for this OpenShift installation. Consequently I’ve got to set up the following DNS records in my domain’s zone file to be able to reach the environment from any client. The wildcard mask entry is required for the OpenShift routes:	   IN	A
*       IN	A


  • Set up the hostname
## SSH to the CentOS VM
[[email protected] ~]$ sudo hostnamectl set-hostname
[[email protected] ~]$ sudo hostnamectl set-hostname --transient
[[email protected] ~]$ hosts=$(echo "$(ip a s dev eth0 | awk '/inet / {split($2, ary, /\//); print ary[1]}') $(hostname -f) $(hostname -s)")
[[email protected] ~]$ sudo sh -c "echo $hosts >> /etc/hosts"
  • Set up the OKD 3.11 repos
[[email protected] ~]$ sudo sh -c 'cat > /etc/yum.repos.d/openshift.repo << EOF
name=OpenShift Origin 3.11

name=OpenShift Common
  • Install openshift-ansible and enable NetworkManager
[[email protected] ~]$ sudo yum install -y openshift-ansible NetworkManager pyOpenSSL
[[email protected] ~]$ sudo systemctl start NetworkManager
[[email protected] ~]$ sudo systemctl enable NetworkManager
  • Fix small dependency issue if still necessary
[[email protected] ~]$ curl -L | sudo patch -d /usr/share/ansible/openshift-ansible/ -p1
  • Generate Let’s Encrypt certificates. I’m using Cloudflare for hosting my domain DNS zone so the example below will call the Cloudflare script
[[email protected] ~]$ sudo yum install -y git
[[email protected] ~]$ git clone
[[email protected] ~]$ cd
## set your API key and email address in dnsapi/
[[email protected]]$ vi dnsapi/
[[email protected]]$ ./ --issue -d -d * --dns dns_cf
## copy certificate and key that got created in the previous step
[[email protected]]$ sudo cp /home/centos/ /etc/pki/tls/certs/
[[email protected]]$ sudo cp /home/centos/ /etc/pki/tls/private/
[[email protected]]$ sudo cp /home/centos/ /etc/pki/tls/certs/
  • Create Inventory file
[[email protected] ~]$ cat okd-inventory



openshift_master_identity_providers=[{ 'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider'}]
openshift_master_htpasswd_users={'marius': '$apr1$fQGIonSg$Y6vvC8Q4Lowzp0EQl.mlE1'}

openshift_master_named_certificates=[{"certfile": "/etc/pki/tls/certs/", "keyfile": "/etc/pki/tls/private/", "names": [""], "cafile": "/etc/pki/tls/certs/"}]




[nodes] openshift_node_group_name='node-config-all-in-one'



  • Run prerequisites playbook
[[email protected] ~]$ sudo ansible-playbook -i okd-inventory /usr/share/ansible/openshift-ansible/playbooks/prerequisites.yml
  • Run deploy playbook
[[email protected] ~]$ sudo ansible-playbook -i okd-inventory /usr/share/ansible/openshift-ansible/playbooks/deploy_cluster.yml
  • After running the deploy_cluster playbook the OpenShift setup should be up and running and reachable from the Internet.
[[email protected] ~]$ sudo oc status
In project default on server (passthrough) (svc/docker-registry)
  dc/docker-registry deploys 
    deployment #2 deployed 14 minutes ago - 1 pod
    deployment #1 deployed 26 minutes ago

svc/kubernetes - ports 443->8443, 53->8053, 53->8053 (passthrough) (svc/registry-console)
  dc/registry-console deploys 
    deployment #1 deployed 26 minutes ago - 1 pod

svc/router - ports 80, 443, 1936
  dc/router deploys 
    deployment #2 deployed 15 minutes ago - 1 pod
    deployment #1 deployed 26 minutes ago

View details with 'oc describe <resource>/<name>' or list everything with 'oc get all'.
  • There is one more step that we have to do post deployment. This replaces the current router certficate with the Let’s Encrypt certificate that we created earlier.
[[email protected] ~]$ cat /etc/pki/tls/certs/ /etc/pki/tls/private/ /etc/pki/tls/certs/ >
[[email protected] ~]$ sudo sh -c "oc secrets new router-certs tls.crt=/home/centos/ tls.key=/etc/pki/tls/private/ -o json --type='' --confirm | oc replace -f -"
[[email protected] ~]$ sudo oc delete pod $(sudo oc get pods | awk '/router/ {print $1}')


The OpenShift console can now be reached @

Credit goes to Marcos Entenza for sharing the Let’s Encrypt certificate instructions.

comments powered by Disqus