Can the plugin be configured to use a wildcard certificate?

[YevheniiPokhvalii]

Judging by description, this plugin issues a multi-domain certificate that includes SANs from each route host. But can it somehow generate one wildcard certificate to cover all routes at once? (By the way this question is connected with the DNS validation, since wildcard certificates do not support HTTP validation)

[vinzent]

The plugin is about the OpenShift Routes Resources/Api (https://docs.openshift.com/container-platform/4.11/rest_api/network_apis/route-route-openshift-io-v1.html) not about configuring the IngressController (https://docs.openshift.com/container-platform/4.11/rest_api/operator_apis/ingresscontroller-operator-openshift-io-v1.html).

Probably, you want to use a plain Cert-Manager Certificate Resource to create the wildcard cert for the ingresscontroller.

https://cert-manager.io/docs/tutorials/acme/dns-validation/#issuing-an-acme-certificate-using-dns-validation

[YevheniiPokhvalii]

I see. Thanks. So, as far as I understood, this plugin is about adding annotations to Routes so the cert manager operator triggers the certificate validation/installation for the resource, since, originally, it only understands annotations for Ingresses.

As you mentioned, I managed to find a workaround with the "default certificate" as OpenShift IngressController also supports it. So I basically created a ClusterIssuer with the Certificate resource where I indicated a reference to a secret. This secret will be created by cert-manager and contain a certificate as soon as Let's Encrypt issues it. And it is also required to patch OpenShift IngressController resource to use that secret. In addition we managed to integrate AWS with cert-manager to enable DNS validation using IRSA.

I also wrote a guide since I could not find any step-by-step information online. Probably I'll attach it here if you don't mind when it is read-proofed. Someone may require this info as well.

If we may need to issue a certificate specifically for some Routes, we will definitely try this useful openshift-routes plugin.

Update: Here is the guide: https://epam.github.io/edp-install/operator-guide/ssl-automation-okd/ I hope it will help someone.

[netwarex]

Hi @vinzent,

Follow-up question regarding:

Probably, you want to use a plain Cert-Manager Certificate Resource to create the wildcard cert for the ingresscontroller.

If I would like to use a wildcard certificate for a Route, it still would be nice to have the option to reference an existing Certificate object to use.

So when I assign a Certificate to multiple Route objects, they can be automatically updated when the wildcard certificate is renewed. Would you please consider to add this functionality?

Thank you!