Generating SSL Certificates¶
It would be normal when deploying a certificate to have satisfied the following before orchestrating your cluster:
Pre-allocate public IPs for the Master and Infrastructure (Router) nodes
A domain (like mydomain.com) routed to the Master’s public IP for access to the OpenShift/OKD’s web console
The above information need to be placed in your deployment configuration prior to orchestration.
Place the identity of the Master Node’s fixed IP into the value for
cluster.master.fixed_ip_id. This is normally the provider’s identity of the allocated IP not the IP itself. In the case of AWS this would be the the Elastic IP identity (the value starting
Similarly place the identity of the Infrastructure/Router Node’s fixed IP into the value for
Place the domain name routed to the master (for the OpenShift console) into the value for
Place the domain name that is routed to the Infrastructure/Router into the value for
To instruct the orchestrator to automatically generate certificates set the
Finally, you need to set the
TF_VAR_master_certbot_emailvariable in your
setenv.shfile to the email address registered with Let’s Encrypt.
You should now be ready to follow the Creating a Cluster guide.
Using automatically allocated public IPs¶
If you are not generating a certificate then you can optionally let the orchestrator allocate public IPs for your Master and Infrastructure instances.
In this case you simply need to remove any value for the Master and
fixed_ip_id properties of your deployment configuration.
When you do not provide values for the Master and Infrastructure
fixed_ip_id values the orchestrator will, where the provider
allows it, create fixed IPs on your behalf. In the case of AWS this will
be two Elastic IP allocations in the region the orchestrator is
Automatically generated public IPs will be removed when the cluster is destroyed.