Thanks to Tomáš Nožička   ,my great colleague at Red Hat, it is extremely easy to secure all your OpenShift routes with Letsencrypt certificates.

Tomáš developed openshift-acme as an ACME Controller for OpenShift and Kubernetes clusters. It automatically provision certficates using ACME protocol and manage their lifecycle (like automatic renewals).

To install it, simply run the following commands:

GIT_REPO=https://raw.githubusercontent.com/akram/openshift-acme
GIT_PATH=/master/deploy/letsencrypt-live/clusterwide
oc new-project letsencrypt
oc create -f$GIT_REPO/$GIT_PATH/{clusterrole,serviceaccount,imagestream,deployment}.yaml
oc adm policy add-cluster-role-to-user openshift-acme -z openshift-acme

Then, you just need to annotate your route with “kubernetes.io/tls-acme” : “true” and the controller will do the job for you.

oc patch route my-route \
    -p '{"metadata":{"annotations":{  "kubernetes.io/tls-acme" : "true"   }}}'

Under the hood, here is what it does:

my-route        mm.apps.example.com             mattermost   8065-tcp   edge/Redirect   None
my-route-acme-8d8vd   mm.apps.cloud-archi.com   /.well-known/acme-challenge/AAAAA-ABCDEFABCDEFXXXXX  my-route-acme-8d8vd        edge/Allow   None

And the controller logs:

I1003 14:36:47.790619       1 route.go:189] Updating Route from my-app/my-route UID=0067f81c-b69f-11e8-80be-fa163ef69882 RV=887884 to my-app/my-route UID=0067f81c-b69f-11e8-80be-fa163ef69882,RV=4307985
I1003 14:36:47.791844       1 route.go:385] Started syncing Route "my-app/my-route" (2018-10-03 14:36:47.791658646 +0000 UTC m=+1295.578855044)
I1003 14:36:48.344856       1 route.go:440] Created authorization "https://acme-v01.api.letsencrypt.org/acme/authz/AAAAA-ABCDEFABCDEFXXXXX" for Route my-app/my-route
I1003 14:36:48.362930       1 route.go:189] Updating Route from my-app/my-route UID=0067f81c-b69f-11e8-80be-fa163ef69882 RV=4307985 to my-app/my-route UID=0067f81c-b69f-11e8-80be-fa163ef69882,RV=4307986
I1003 14:36:48.363117       1 route.go:387] Finished syncing Route "my-app/my-route" (571.450605ms)
I1003 14:36:48.363166       1 route.go:385] Started syncing Route "my-app/my-route" (2018-10-03 14:36:48.363160244 +0000 UTC m=+1296.150356560)
I1003 14:36:48.552494       1 route.go:483] Route "my-app/my-route": authorization state is "pending"
I1003 14:36:48.552546       1 client.go:83] Found 3 possible combinations for authorization
I1003 14:36:48.552556       1 client.go:90] Found 1 valid combinations for authorization
I1003 14:36:48.584662       1 exposer.go:294] Waiting for exposing route my-app/my-route-acme-8d8vd to be admitted.
I1003 14:36:48.606559       1 exposer.go:321] Exposing route my-app/my-route-acme-8d8vd has been admitted. Ingresses: []v1.RouteIngress(nil)
I1003 14:36:48.606690       1 exposer.go:329] Waiting for route my-app/my-route-acme-8d8vd to be exposed on the router.
I1003 14:36:48.647778       1 exposer.go:375] Key for route my-app/my-route-acme-8d8vd is not yet exposed.
I1003 14:36:49.778505       1 exposer.go:375] Key for route my-app/my-route-acme-8d8vd is not yet exposed.
I1003 14:36:51.353473       1 exposer.go:375] Key for route my-app/my-route-acme-8d8vd is not yet exposed.
I1003 14:36:53.094044       1 http.go:78] url = 'mm.apps.example.com/.well-known/acme-challenge/AAAAA-ABCDEFABCDEFXXXXX'; found = 'true'
I1003 14:36:53.094478       1 exposer.go:385] Exposing Route my-app/my-route-acme-8d8vd is accessible and contains correct response.
I1003 14:36:53.709105       1 route.go:495] Re-queuing Route "my-app/my-route" due to pending authorization
I1003 14:36:53.709170       1 route.go:387] Finished syncing Route "my-app/my-route" (5.346005151s)
I1003 14:36:54.021230       1 http.go:78] url = 'mm.apps.example.com/.well-known/acme-challenge/AAAAA-ABCDEFABCDEFXXXXX'; found = 'true'
I1003 14:36:58.709457       1 route.go:385] Started syncing Route "my-app/my-route" (2018-10-03 14:36:58.709419331 +0000 UTC m=+1306.496615602)
I1003 14:36:58.913419       1 route.go:483] Route "my-app/my-route": authorization state is "valid"
I1003 14:36:58.913460       1 route.go:515] Authorization "https://acme-v01.api.letsencrypt.org/acme/authz/AAAAA-ABCDEFABCDEFXXXXX" for Route my-app/my-route successfully validated