{"id":20155267,"url":"https://github.com/redhat-cop/cert-operator","last_synced_at":"2025-06-19T21:32:58.816Z","repository":{"id":57533228,"uuid":"141584219","full_name":"redhat-cop/cert-operator","owner":"redhat-cop","description":"An OpenShift controller using the Operator SDK for managing TLS certficate lifecycle","archived":false,"fork":false,"pushed_at":"2023-12-15T02:28:19.000Z","size":132,"stargazers_count":26,"open_issues_count":26,"forks_count":23,"subscribers_count":16,"default_branch":"master","last_synced_at":"2025-04-09T22:02:42.776Z","etag":null,"topics":["container-cop","k8s-operator","kubernetes","operator-fram","operator-sdk"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/redhat-cop.png","metadata":{"files":{"readme":"README.adoc","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-07-19T13:33:47.000Z","updated_at":"2023-11-15T11:16:28.000Z","dependencies_parsed_at":"2024-06-20T06:08:17.149Z","dependency_job_id":null,"html_url":"https://github.com/redhat-cop/cert-operator","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/redhat-cop/cert-operator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-cop%2Fcert-operator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-cop%2Fcert-operator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-cop%2Fcert-operator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-cop%2Fcert-operator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/redhat-cop","download_url":"https://codeload.github.com/redhat-cop/cert-operator/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-cop%2Fcert-operator/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260835227,"owners_count":23070251,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["container-cop","k8s-operator","kubernetes","operator-fram","operator-sdk"],"created_at":"2024-11-13T23:31:09.540Z","updated_at":"2025-06-19T21:32:53.800Z","avatar_url":"https://github.com/redhat-cop.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"= An Operator for Automated Certificate Lifecycle in OpenShift\n:toc: macro\n\ntoc::[]\n\n== Prerequisites\n\n* link:https://github.com/operator-framework/operator-sdk/tree/v0.8.1[Operator SDK v0.8.1]\n* link:https://golang.github.io/dep/docs/installation.html[Dep]\n\n== Installation\n\n[source,bash]\n----\ngit clone [this repo]\ndep ensure\n----\n\n== Local Run for Development\n\n[source,bash]\n----\noc login ...\noc new-project cert-operator\nexport OPERATOR_NAME=cert-operator\noperator-sdk up local\n----\n\n== Running Test Cases\n\n[source,bash]\n----\noc login ...\noc new-project cert-operator-test\nexport OPERATOR_NAME=cert-operator\noperator-sdk test local ./test/e2e/ --namespace=cert-operator-test --up-local\n----\n\n== Deployment to OpenShift\n\n[source,bash]\n----\noc process -f build/build.yml | oc apply -f-\noc apply -f deploy/service_account.yaml\noc apply -f deploy/role.yaml\noc apply -f deploy/role_binding.yaml\noc apply -f deploy/deployment.yaml\n----\n\n== Configuration\n\nThe operator is configured via a combination of environment variables and a configuration file. The majority of the config can be placed in a `YAML` formatted config file. The configuration file is loaded by searching in the following locations, with those at the top taking priority:\n\n* value of `CERT_OP_CONFIG` environment variable\n* `/etc/cert-operator/config.yml`\n\n=== General Config\n\nThe cert operator uses annotations on the various resources it manages to decide what actions are required. The annotations that are used are configurable via the config file. The default values are as follows:\n\n[source,yaml]\n----\ngeneral:\n  annotations:\n    status: openshift.io/cert-ctl-status\n    status-reason: openshift.io/cert-ctl-status-reason\n    expiry: openshift.io/cert-ctl-expires\n    format: openshift.io/cert-ctl-format\n----\n\n=== Certificate Providers\n\nThe cert operator provides a pluggable architecture for supporting multiple certificate providers. The following is the set of current and planned providers.\n\n.Supported Providers\n* [x] NoneProvider(`none`) - A mock provider for testing which returns empty values\n* [x] SelfSignedProvider(`self-signed`) - Delivers self-signed certificates\n* [ ] LetsEncryptProvider(`lets-encrpyt`) - A free and open public CA\n* [ ] FreeIPAProvider(`ipa`) - An open source identity management system\n* [X] VenafiProvider(`venafi`) - An Enterprise PKI product\n\nConfiguring which provider is used is a matter of adding the following to your config.yml:\n\n[source,yaml]\n----\nprovider:\n  kind: \u003cname\u003e\n  ssl: \u003ctrue/false\u003e\n----\n\n=== Certificate Formats\n\nThis operator currently supports the following certificate formats.\n\n.[[supported-cert-formats]]Supported Formats\n* [x] PEM - default\n* [x] PKCS12\n\n=== Notifications\n\nThis operator currently supports sending notifications via ChatOps. The following is the set of current and planned providers.\n\n.Supported Notifiers\n* [x] Slack\n* [ ] RocketChat\n\nTo configure sending notifications, set the following environment variables:\n\n[source,bash]\n----\nNOTIFIER_TYPE=\"slack\"\n\u003cNOTIFIER\u003e_WEBHOOK_URL=\"https://example.webhook.com/bla/blah\"\n----\n\n== Testing Functionality\n\nThis operator will create certificates for routes and services. To test this functionality, first create a new application.\n\n[source,bash]\n----\noc new-app --template dotnet-example\n----\n\n=== Create a Certificate for a Route\n\nAnnotate the route to tell the operator it needs a cert.\n\n[source,bash]\n----\noc annotate route dotnet-example openshift.io/cert-ctl-status=new --overwrite\n----\n\nIn the logs for your operator, you'll see something like:\n\n[source,bash]\n----\n{\"level\":\"info\",\"ts\":1553713448.1514533,\"logger\":\"controller_route\",\"msg\":\"Reconciling Route\",\"Request.Namespace\":\"cert-operator\",\"Request.Name\":\"dotnet-example\"}\n{\"level\":\"info\",\"ts\":1553713448.2551682,\"logger\":\"controller_route\",\"msg\":\"Updated route with new certificate\",\"Request.Namespace\":\"cert-operator\",\"Request.Name\":\"dotnet-example\"}\n----\n\nThen, if you take a look at your `dotnet-example` route, you'll see that it has been update with a TLS Edge policy.\n\n[source,bash]\n----\n$ oc get route dotnet-example -o yaml\napiVersion: route.openshift.io/v1\nkind: Route\nmetadata:\n  annotations:\n    openshift.io/managed.cert: \"secured\"\n...\n  name: dotnet-example\nspec:\n...\n  tls:\n    certificate: |\n      -----BEGIN CERTIFICATE-----\n      ...\n      -----END CERTIFICATE-----\n    key: |\n      -----BEGIN RSA PRIVATE KEY-----\n      ...\n      -----END RSA PRIVATE KEY-----\n    termination: edge\n    ...\n----\n\n=== Create a Certificate for a Service (SSL-to-Pod)\n\nAnnotate the service to tell the operator it needs a cert.  The default certificate format will be PEM unless you first create an annotation of \"openshift.io/cert-ctl-format\" with a \u003c\u003csupported-cert-formats,Supported Certificate Formats\u003e\u003e above.\n\n[source,bash]\n----\noc annotate service dotnet-example openshift.io/cert-ctl-status=new --overwrite\n----\n\nIn the logs for your operator, you'll see something like:\n\n[source,bash]\n----\n{\"level\":\"info\",\"ts\":1553715427.6889565,\"logger\":\"controller_service\",\"msg\":\"Reconciling Service\",\"Request.Namespace\":\"cert-operator\",\"Request.Name\":\"dotnet-example\"}\n{\"level\":\"info\",\"ts\":1553715427.8858836,\"logger\":\"controller_service\",\"msg\":\"Updated service with new certificate\",\"Request.Namespace\":\"cert-operator\",\"Request.Name\":\"dotnet-example\"}\n----\n\nLook to see that a new secret has been created in your project.\n\n[source,bash]\n----\n$ oc get secret | grep dotnet-example\ndotnet-example-certificate             Opaque                                2         23m\n----\n\nYou'll also notice that the annotation on the service has changed.\n\n[source,bash]\n----\n$ oc get service dotnet-example -o jsonpath='{.metadata.annotations.openshift\\.io/cert-ctl-status}'\nsecured\n----\n\n=== Create a Certificate for a Service (SSL-to-Pod) PKCS12 format\n\nAnnotate the service to tell the operator it needs a cert.  The default certificate format will be PEM unless you first create an annotation of format \"openshift.io/cert-ctl-format\"\n\n[source,bash]\n----\noc annotate service dotnet-example openshift.io/cert-ctl-format=pkcs12 --overwrite\noc annotate service dotnet-example openshift.io/cert-ctl-status=new --overwrite\n----\n\nYou will notice two entries in the secret \"tls.p12\" and \"tls-p12-secret.txt\"","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fredhat-cop%2Fcert-operator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fredhat-cop%2Fcert-operator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fredhat-cop%2Fcert-operator/lists"}