The software described in this documentation is either no longer supported or is in extended support.
Oracle recommends that you upgrade to a current supported release.
You can use the gen-certs-helper.sh
script to
generate the certificates. Run the script on the operator node
and enter the options required for your environment.
The --cert-dir
option sets the location where
the certificates are to be saved.
The --nodes
option must be set to the name of
the Kubernetes service, as shown:
--nodes
externalip-validation-webhook-service.externalip-validation-system.svc,externalip-validation-webhook-service.externalip-validation-system.svc.cluster.local
Use the --one-cert
option to save the
certificates for the two service names to a single file.
cd /etc/olcne sudo ./gen-certs-helper.sh \ --cert-dir /etc/olcne/configs/certificates/restrict_external_ip/production/ \ --cert-request-organization-unit "My Company Unit" \ --cert-request-organization "My Company" \ --cert-request-locality "My Town" \ --cert-request-state "My State" \ --cert-request-country US \ --cert-request-common-name cloud.example.com \ --nodes externalip-validation-webhook-service.externalip-validation-system.svc,externalip-validation-webhook-service.externalip-validation-system.svc.cluster.local \ --one-cert
You can use the same CA certificate and private key you used to
generate the Kubernetes node certificates by using the
--byo-ca-cert
and
--byo-ca-key
options. For example, add the
following lines to the command:
--byo-ca-cert /path
/configs/certificates/production/ca.cert \ --byo-ca-key /path
/configs/certificates/production/ca.key
Make sure the permissions of the output directory where the
certificates are located can be read by the user on the operator
node that you intend to use use to run the
olcnectl commands to install Kubernetes. In
this example the opc
user is to be used on
the operator node, so ownership of the directory is set to the
opc
user:
sudo chown -R opc:opc /etc/olcne/configs/certificates/restrict_external_ip/