How to use Ingress with cert-manager on OpenShift

Prerequisites

Create the ClusterIssuer (once)

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: ${ISSUER_NAME}
spec:
  acme:
    email: you@example.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: acme-account-key
    solvers:
    - http01:
        ingress:
          class: openshift-default

Apply:

oc apply -f clusterissuer.yaml

Apply your Ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: app-ingress
  namespace: ${NS}
  annotations:
    cert-manager.io/cluster-issuer: ${ISSUER_NAME}
    acme.cert-manager.io/http01-ingress-class: openshift-default
    route.openshift.io/termination: "edge" # default is edge
spec:
  ingressClassName: openshift-default
  tls:
    - hosts: ["${HOST}"]
      secretName: ${TLS_SECRET}
  rules:
    - host: ${HOST}
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: ${SVC_NAME}
                port:
                  name: https

Apply:

oc apply -f ingress.yaml

What happens

Verify

oc -n ${NS} get certificate,challenge,order
oc -n ${NS} describe ingress app-ingress

Common pitfalls