{"id":19039921,"url":"https://github.com/cert-manager/openshift-routes","last_synced_at":"2025-04-23T21:02:11.673Z","repository":{"id":37541194,"uuid":"497975624","full_name":"cert-manager/openshift-routes","owner":"cert-manager","description":"OpenShift Route support for cert-manager","archived":false,"fork":false,"pushed_at":"2025-04-18T01:26:50.000Z","size":518,"stargazers_count":50,"open_issues_count":14,"forks_count":23,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-04-18T05:53:56.991Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Makefile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cert-manager.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-05-30T14:23:39.000Z","updated_at":"2025-04-18T01:26:54.000Z","dependencies_parsed_at":"2023-12-26T12:09:15.152Z","dependency_job_id":"dbebe1ac-831a-42ad-9dee-94b62030b43f","html_url":"https://github.com/cert-manager/openshift-routes","commit_stats":{"total_commits":46,"total_committers":12,"mean_commits":"3.8333333333333335","dds":0.782608695652174,"last_synced_commit":"5b9f2b3acbdaf9e6256e596b8494aef2d75ebe9f"},"previous_names":[],"tags_count":17,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cert-manager%2Fopenshift-routes","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cert-manager%2Fopenshift-routes/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cert-manager%2Fopenshift-routes/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cert-manager%2Fopenshift-routes/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cert-manager","download_url":"https://codeload.github.com/cert-manager/openshift-routes/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249565240,"owners_count":21292427,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-08T22:19:32.151Z","updated_at":"2025-04-23T21:02:11.652Z","avatar_url":"https://github.com/cert-manager.png","language":"Makefile","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png\" height=\"256\" width=\"256\" alt=\"cert-manager project logo\" /\u003e\n\u003c/p\u003e\n\n# OpenShift Route Support for cert-manager\n\nThis project supports automatically getting a certificate for\nOpenShift routes from any cert-manager Issuer, similar to annotating\nan Ingress or Gateway resource in vanilla Kubernetes!\n\n## Prerequisites:\n\n1. Ensure you have [cert-manager installed](https://cert-manager.io/docs/installation/)\n   through the method of your choice. But make sure you install cert-manager and openshift-routes-deployment in the same namespace. By default this is in the namespace **cert-manager**.\n   For example, with Helm:\n\n```sh\nhelm repo add jetstack https://charts.jetstack.io --force-update\nhelm install \\\n  cert-manager jetstack/cert-manager \\\n  --namespace cert-manager \\\n  --create-namespace \\\n  --set crds.enabled=true\n```\n\nBoth **ClusterIssuer** and namespace based **Issuer** are possible. Here a **ClusterIssuer** is used:\n\n2. For example, create the ClusterIssuer (no additional ingress class is needed for the openshift-ingress router. The example.com email must be replaced by another one):\n\n```yaml\napiVersion: v1\nitems:\n  - apiVersion: cert-manager.io/v1\n    kind: ClusterIssuer\n    metadata:\n      annotations:\n      name: letsencrypt-prod\n    spec:\n      acme:\n        email: mymail@example.com\n        preferredChain: \"\"\n        privateKeySecretRef:\n          name: letsencrypt-prod\n        server: https://acme-v02.api.letsencrypt.org/directory\n        solvers:\n          - http01:\n              ingress: {}\n```\n\n```sh\noc apply -f clusterissuer.yaml\n```\n\n3. Make sure that there is an A record on the load balancer IP or a CNAME record on the load balancer hostname in your DNS system for the HTTP-01 subdomain.\n\n```\nCNAME:\n  Name: *.service.clustername.domain.com\n  Alias: your-lb-domain.cloud\n```\n\n## Installation\n\nThe openshift-routes component can be installed using the Helm chart:\n\n```shell\nhelm install openshift-routes -n cert-manager oci://ghcr.io/cert-manager/charts/openshift-routes\n```\n\nor using templated static manifests:\n\n```shell\noc apply -f \u003c(helm template openshift-routes -n cert-manager oci://ghcr.io/cert-manager/charts/openshift-routes --set omitHelmLabels=true)\n```\n\nPlease review the [values.yaml](./deploy/chart/values.yaml) file for all configuration options.\n\n## Usage\n\nIf you follow the above prerequisites, use this annotations below\n\n```yaml\n---\nmetadata:\n  annotations:\n    cert-manager.io/issuer-kind: ClusterIssuer\n    cert-manager.io/issuer-name: letsencrypt-prod\n---\nspec:\n  host: app.service.clustername.domain.com\n```\n\nAnnotate your routes:\n\n```yaml\napiVersion: route.openshift.io/v1\nkind: Route\nmetadata:\n  name: example-route\n  annotations:\n    cert-manager.io/issuer-name: my-issuer # This is the only required annotation\n    cert-manager.io/issuer-group: cert-manager.io # Optional, defaults to cert-manager.io\n    cert-manager.io/issuer-kind: Issuer # Optional, defaults to Issuer, could be ClusterIssuer or an External Issuer\n    cert-manager.io/duration: 1h # Optional, defaults to 90 days\n    cert-manager.io/renew-before: 30m # Optional, defaults to 1/3 of total certificate duration.\n    cert-manager.io/common-name: \"My Certificate\" # Optional, no default.\n    cert-manager.io/alt-names: \"mycooldomain.com,mysecondarydomain.com\" # Optional, no default\n    cert-manager.io/ip-sans: \"10.20.30.40,192.168.192.168\" # Optional, no default\n    cert-manager.io/uri-sans: \"spiffe://trustdomain/workload\" # Optional, no default\n    cert-manager.io/private-key-algorithm: \"ECDSA\" # Optional, defaults to RSA\n    cert-manager.io/private-key-size: \"384\" # Optional, defaults to 265 for ECDSA and 2048 for RSA\n    cert-manager.io/email-sans: \"me@example.com,you@example.com\" # Optional, no default\n    cert-manager.io/subject-organizations: \"company\" # Optional, no default\n    cert-manager.io/subject-organizationalunits: \"company division\" # Optional, no default\n    cert-manager.io/subject-countries: \"My Country\" # Optional, no default\n    cert-manager.io/subject-provinces: \"My Province\" # Optional, no default\n    cert-manager.io/subject-localities: \"My City\" # Optional, no default\n    cert-manager.io/subject-postalcodes: \"123ABC\" # Optional, no default\n    cert-manager.io/subject-streetaddresses: \"1 Example St\" # Optional, no default\n    cert-manager.io/subject-serialnumber: \"123456\" # Optional, no default\nspec:\n  host: app.service.clustername.domain.com # will be added to the Subject Alternative Names of the CertificateRequest\n  port:\n    targetPort: 8080\n  to:\n    kind: Service\n    name: hello-openshift\n```\n\nObserve the `route.Spec.TLS` section of your route being populated automatically by cert-manager.\n\nThe route's TLS certificate will be rotated 2/3 of the way through the certificate's lifetime, or\n`cert-manager.io/renew-before` time before it expires.\n\nNow the website can be called: https://app.service.clustername.domain.com\n\n## Development\n\nThe source code for the controller can be found in the `./internal/` folder.\nAfter modifying the source code, you can execute the tests with:\n\n```sh\ngo test ./...\n```\n\n# Why is This a Separate Project?\n\nWe do not wish to support non Kubernetes (or kubernetes-sigs) APIs in cert-manager core. This adds\na large maintenance burden, and it's hard for us to e2e test everyone's CRDs. However, OpenShift is\nwidely used, so it makes sense to have some support for it in the cert-manager ecosystem.\n\nIdeally we would have contributed this controller to an existing project, e.g.\nhttps://github.com/redhat-cop/cert-utils-operator. Unfortunately, cert-manager is not really designed\nto be imported as a module. It has a large number of transitive dependencies that would add an unfair\namount of maintenance to whichever project we submitted it to. In the future, we would like to split\nthe cert-manager APIs and typed clients out of the main cert-manager repo, at which point it would be\neasier for other people to consume in their projects.\n\n# Release Process\n\nThe release process is documented in [RELEASE.md](RELEASE.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcert-manager%2Fopenshift-routes","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcert-manager%2Fopenshift-routes","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcert-manager%2Fopenshift-routes/lists"}