Bootstrap FreeKB - OpenShift - Create secured Route using Self Signed Certificate
OpenShift - Create secured Route using Self Signed Certificate

Updated:   |  OpenShift articles

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

There are a few different ways to route requests to a pod / service.

An OpenShift route or an Ingress route will provide a URL such as http://my-route-my-project.apps.openshift.example.com which is used to route a request onto a service, which is then routed onto a pod, and then to the container in the pod, and finally to the application running in the container.

 

Like this.

 

The oc expose service command can be used to create an insecured route, whereas the oc create route command is used to create a secured route. The oc create route command can be used to create the following types of routes.

  • edge = The connection is encrypted until it reaches the OpenShift Router. The connection is decrypted (TLS Termination) by the OpenShift Router.
  • passthrough = The connection is encrypted as it moves through OpenShift. The connection is decrypted (TLS Termination) in the pod.
  • reencrypt = The connection is encrypted as it reaches the OpenShift Router. The connection is decrypted (TLS Termination) by the OpenShift Router and then reencrypted with a different public certificate. The connection is then decrypted (TLS Termination) in the pod.

 

Let's say you create a self signed certificate using OpenSSL, so that you have a PEM file that contains the three certificates that make up the certificate chain (the root, intermediate, and server certificate).

~]$ cat my.pem
-----BEGIN CERTIFICATE-----
<encoded server certificate string here>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<encoded intermediate certificate string here>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<encoded root certificate string here>
-----END CERTIFICATE-----

 

In this example, you should only need to use the --cert and --key options since my.pem contains the certificate chain. In other words, there is no need to include the --ca-cert option.

~]$ oc create route edge my-route --service my-service --cert my.pem --key my.key
route.route.openshift.io/my-route created

 

I'm not sure why, but I have to label the route to get the route exposed on the default router

oc label route my-route route-type=default

 

The oc get routes command can then be used the list the routes. In this example, the URL to request the service is http://my-route-my-project.apps.openshift.example.com.

~]$ oc get routes
NAME       HOST/PORT                                         PATH  SERVICES    PORT      TERMINATION   WILDCARD
my-route   my-route-my-project.apps.openshift.example.com          my-service  8080-tcp  edge          None

 

Or, the --hostname option can be used to give the route a specific URL.

oc create route edge my-route --service my-service --hostname a.apps.openshift.example.com

 

The oc describe route command should show that the route is exposed on the default router

~]$ oc describe route my-route
Name:                   my-route
Namespace:              my-project
Created:                16 minutes ago
Labels:                 app=ose-hello-openshift-rhel8
                        app.kubernetes.io/component=ose-hello-openshift-rhel8
                        app.kubernetes.io/instance=ose-hello-openshift-rhel8
                        route-type=default
Annotations:            <none>
Requested Host:         my.apps.openshift.example.com
                           exposed on router default (host router-default.apps.openshift.example.com) 16 minutes ago
Path:                   <none>
TLS Termination:        edge
Insecure Policy:        <none>
Endpoint Port:          8080

Service:        ose-hello-openshift-rhel8
Weight:         100 (100%)
Endpoints:      10.129.6.189:8080

 

If the application in the pod is a web based application, you should now be able to interact with the application using the route URL.

 

Or using curl.

~]# curl my-route-my-project.apps.openshift.example.com
Hello OpenShift!

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter e5bb88 in the box below so that we can be sure you are a human.