Parameters

The parent key for all of the following parameters is openshift4_ingress.

ingressControllers

type

dictionary
default

Default ingress controller.

A dictionary holding the .spec for ingress controllers. The keys of the dict are used as names for the ingress controllers.

See the OpenShift docs for available parameters.

The domain parameter is required.

To remove all ingress controllers, set to null.

ingressControllerAnnotations

type

dictionary
default

{}

A dictionary holding the annotations for ingress controllers. The keys of the dict are the names of the ingress controllers to annotate.

cloud.provider

type

string
default

${facts:cloud}

The name of the cloud provider where the DNS service is hosted. Except for special cases, this parameter should always be set to ${facts:cloud}.

cloud.credentials

type

string
default

undefined

The cloud provider credentials which will be used by the Issuer. If this isn’t set, a CredentialsRequest will be created.

cloud.gcp.projectName

type

string
default

undefined

The GCP project name in which the DNS setup is hosted.

cloud.aws.accessKey

type

string
default

undefined

Access key ID to be used for Route53 access. The credentials will be created by this component via a CredentialsRequest. Unfortunately the access key ID must be copied from the resulting secret:

kubectl get secret ingress-cert-issuer-credentials \
  -n openshift-ingress \
  -o jsonpath='{.data.aws_access_key_id}' | \
  base64 --decode

cloud.azure.clientID

type

string
default

undefined

 
kubectl get secret ingress-cert-issuer-credentials \
  -n openshift-ingress \
  -o jsonpath='{.data.azure_client_id}' | \
  base64 --decode

cloud.azure.subscriptionID

type

string
default

undefined

 
kubectl get secret ingress-cert-issuer-credentials \
  -n openshift-ingress \
  -o jsonpath='{.data.azure_subscription_id}' | \
  base64 --decode

cloud.azure.tenantID

type

string
default

undefined

 
kubectl get secret ingress-cert-issuer-credentials \
  -n openshift-ingress \
  -o jsonpath='{.data.azure_tenant_id}' | \
  base64 --decode

cloud.azure.resourceGroupName

type

string
default

undefined

 
kubectl get secret ingress-cert-issuer-credentials \
  -n openshift-ingress \
  -o jsonpath='{.data.azure_resourcegroup}' | \
  base64 --decode

secrets

type

dictionary
default

{}

Each entry in parameter secrets is deployed onto the cluster as a Kubernetes Secret with type=kubernetes.io/tls. Entries with null values are skipped. This allows users to remove secrets which were configured higher up in the hierarchy.

The component has basic validation to ensure the secret contents are a plausible Kubernetes TLS secret.

The dictionary keys are used as metadata.name for the resulting Secret resources. The dictionary values are directly merged into a Secret resource which only has type=kubernetes.io/tls set. The secrets are created in the namespace indicated by parameter namespace.

The OpenShift authentication operator generates a secret which contains the certificate and secret key of the ingress default certificate in a single field. To ensure that the concatenated data is always valid, the component appends a trailing newline to each field of the provided secret.

cert_manager_certs

type

dictionary
default

{}

Each entry in parameter cert_manager_certs is deployed onto the cluster as a cert-manager Certificate resource. Entries with null values are skipped. This allows users to remove certificates which were configured higher up in the hierarchy.

The dictionary keys are used as metadata.name and spec.secretName for the resulting Certificate resources. The dictionary values are then directly directly merged into the mostly empty Certificate resources.

Examples

Managing a secret for the wildcard certificate

parameters:
  openshift4_ingress:
    ingressControllers:
      prod:
        domain: apps.example.com
        defaultCertificate:
          # Use the secret configured below
          name: prod-wildcard
        namespaceSelector:
          matchLabels:
            environment: prod
    ingressControllerAnnotations:
      prod:
        ingress.operator.openshift.io/default-enable-http2: true
    secrets:
      prod-wildcard:
        stringData:
          tls.key: "?{vaultkv:...}" # reference to private key in Vault
          tls.crt: "?{vaultkv:...}" # reference to cert in Vault

Managing a cert-manager wildcard certificate

This requires an issuer which supports DNS01 challenges. See the Using DNS01 challenges how-to for component cert-manager to get started with DNS01 challenges.

 
parameters:
  openshift4_ingress:
    ingressControllers:
      prod:
        domain: apps.example.com
        defaultCertificate:
          # Use the secret for the certificate below.
          # By default, the component creates a secret with name
          # `prod-wildcard-tls` for certificate resource `prod-wildcard`
          name: prod-wildcard-tls
    cert_manager_certificates:
      prod-wildcard-tls:
        spec:
          dnsNames:
            - '*.apps.example.com'
          issuerRef:
            name: letsencrypt-production
            kind: ClusterIssuer