Replacing default ingress certificates on OpenShift using cert manager

The default certificates used by the ingress operator are self-signed i.e. by an internal CA. I thought it was a better idea to generate my own certs using cert-manager so here is what I did:

1. Generate a certificate:

   apiVersion: cert-manager.io/v1
   kind: Certificate
   metadata:
     name: internal-nanibot-net-cert
     namespace: openshift-ingress
   spec:
     secretName: internal-nanibot-net-cert-secret
     duration: 2160h
     renewBefore: 360h
     isCA: false
     privateKey:
       algorithm: RSA
       encoding: PKCS1
       size: 2048
     usages:
       - server auth
       - client auth
     dnsNames:
       - "*.apps.openshift.internal.nanibot.net"
     issuerRef:
       name: nanibot-net-issuer
       kind: ClusterIssuer
   
   

2. Patch the default ingresscontroller.operator resource to reference the secret where the tls data is stored:

   oc patch ingresscontroller.operator default \
        --type=merge -p \
        '{"spec":{"defaultCertificate": {"name": "internal-nanibot-net-cert-secret"}}}' \
        -n openshift-ingress-operator