learn by doing

Deploying all-in-one OKD 3.11 with Let's Encrypt SSL certificates

I’ve been experimenting with OpenShift lately and in the following post I’d like to document the steps required to get an OKD 3.11 environment up and running. For those who are not familiar with the OKD abbreviation it is “The Origin Community Distribution of Kubernetes that powers Red Hat OpenShift”. The deployment is going to be set up on a single node and configured to use Let’s Encrypt SSL certificates for the API endpoint/console and HTTPS routes.

The main purpose of this exercise is to:

  • get myself familiar with the openshift-ansible installer process
  • get an OpenShift environment connected to the Internet up and running that I can experiment with

Let’s get started.



** Get a beefy CentOS 7 VM ready. For this test I used one with 4 vCPUs, 16 GB of RAM and 50GB of storage. The specs could be lowered but you may need to disable specific checks the installer runs.

DNS configuration

** I’m going to use ‘’ as the domain name for this OpenShift installation. Consequently I’ve got to set up the following DNS records in my domain’s zone file to be able to reach the environment from any client. The wildcard mask entry is required for the OpenShift routes:	   IN	A
*       IN	A


  • Set up the hostname
## SSH to the CentOS VM
[centos@containers ~]$ sudo hostnamectl set-hostname
[centos@containers ~]$ sudo hostnamectl set-hostname --transient
[centos@containers ~]$ hosts=$(echo "$(ip a s dev eth0 | awk '/inet / {split($2, ary, /\//); print ary[1]}') $(hostname -f) $(hostname -s)")
[centos@containers ~]$ sudo sh -c "echo $hosts >> /etc/hosts"
  • Set up the OKD 3.11 repos
[centos@containers ~]$ sudo sh -c 'cat > /etc/yum.repos.d/openshift.repo << EOF
name=OpenShift Origin 3.11

name=OpenShift Common
  • Install openshift-ansible and enable NetworkManager
[centos@containers ~]$ sudo yum install -y openshift-ansible NetworkManager pyOpenSSL
[centos@containers ~]$ sudo systemctl start NetworkManager
[centos@containers ~]$ sudo systemctl enable NetworkManager
  • Fix small dependency issue if still necessary
[centos@containers ~]$ curl -L | sudo patch -d /usr/share/ansible/openshift-ansible/ -p1
  • Generate Let’s Encrypt certificates. I’m using Cloudflare for hosting my domain DNS zone so the example below will call the Cloudflare script
[centos@containers ~]$ sudo yum install -y git
[centos@containers ~]$ git clone
[centos@containers ~]$ cd
## set your API key and email address in dnsapi/
[centos@containers]$ vi dnsapi/
[centos@containers]$ ./ --issue -d -d * --dns dns_cf
## copy certificate and key that got created in the previous step
[centos@containers]$ sudo cp /home/centos/ /etc/pki/tls/certs/
[centos@containers]$ sudo cp /home/centos/ /etc/pki/tls/private/
[centos@containers]$ sudo cp /home/centos/ /etc/pki/tls/certs/
  • Create Inventory file
[centos@containers ~]$ cat okd-inventory



openshift_master_identity_providers=[{ 'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider'}]
openshift_master_htpasswd_users={'marius': '$apr1$fQGIonSg$Y6vvC8Q4Lowzp0EQl.mlE1'}

openshift_master_named_certificates=[{"certfile": "/etc/pki/tls/certs/", "keyfile": "/etc/pki/tls/private/", "names": [""], "cafile": "/etc/pki/tls/certs/"}]




[nodes] openshift_node_group_name='node-config-all-in-one'



  • Run prerequisites playbook
[centos@containers ~]$ sudo ansible-playbook -i okd-inventory /usr/share/ansible/openshift-ansible/playbooks/prerequisites.yml
  • Run deploy playbook
[centos@containers ~]$ sudo ansible-playbook -i okd-inventory /usr/share/ansible/openshift-ansible/playbooks/deploy_cluster.yml
  • After running the deploy_cluster playbook the OpenShift setup should be up and running and reachable from the Internet.
[centos@containers ~]$ sudo oc status
In project default on server (passthrough) (svc/docker-registry)
  dc/docker-registry deploys 
    deployment #2 deployed 14 minutes ago - 1 pod
    deployment #1 deployed 26 minutes ago

svc/kubernetes - ports 443->8443, 53->8053, 53->8053 (passthrough) (svc/registry-console)
  dc/registry-console deploys 
    deployment #1 deployed 26 minutes ago - 1 pod

svc/router - ports 80, 443, 1936
  dc/router deploys 
    deployment #2 deployed 15 minutes ago - 1 pod
    deployment #1 deployed 26 minutes ago

View details with 'oc describe <resource>/<name>' or list everything with 'oc get all'.
  • There is one more step that we have to do post deployment. This replaces the current router certficate with the Let’s Encrypt certificate that we created earlier.
[centos@containers ~]$ cat /etc/pki/tls/certs/ /etc/pki/tls/private/ /etc/pki/tls/certs/ >
[centos@containers ~]$ sudo sh -c "oc secrets new router-certs tls.crt=/home/centos/ tls.key=/etc/pki/tls/private/ -o json --type='' --confirm | oc replace -f -"
[centos@containers ~]$ sudo oc delete pod $(sudo oc get pods | awk '/router/ {print $1}')


The OpenShift console can now be reached @

Credit goes to Marcos Entenza for sharing the Let’s Encrypt certificate instructions.

comments powered by Disqus