Friday, 8 May 2020

Expose Services on Openshift using Routes

Openshift services, as Kubernetes services themselves, can be accessed only by pods on the same Openshift cluster. How to access them from outside the cluster? Using routes.

A route creates a connection between a public-facing ip address and the related DNS entry to the pods desired, using the internal service linked to them, to find their endpoints.
The router service is based on HaProxy.



Creating a route.

As every resource of Openshift, routes can be created:

  • defining the configuration in a YAML file
  • using the oc cli

In this example we'll use oc cli.

Let's assume you have already you app named example-app deployed on OCP,  in project myproject, and the service exposing it is named example-app-service.


Create the route with oc:


oc expose service example-app-service \
 --name example-app-route \
 --hostname=example-app.mycompany.com


Once the route has been created, you can reach your application at:



http://example-app.mycompany.com



In general, if you don't add the --hostname argument, the resulting  DNS name will be of this form:

<route-name>-<project>.<default-domain>

So in this case, if default domain is example.com:

example-app-route.myproject.example.com

The default-domain is the one selected for Openshift installation.



Enabling TLS.

A route can be secured with different types of TLS termination:
  • Edge: this is the classic case, TLS termination occurs at the router, so certificates are served by the router itself and they must be configured when creating the route. Connections from the router to the pods, over the internal network, are not encrypted.
  • Pass-through: certificates are served by the destination pod, so you don't have to add them to the route.
  • Re-encryption: the router terminates TLS with a certificate, but then reencrypts the connection to the destination pod, which is generally using another certificate.

Let's secure our example-app, using self-signed certificates.

Create private key:


openssl genrsa 4096 -out example-app.key


Create certificate signing request (CSR) using the private key:


openssl req -new \
 -key example-app.key \
 -out example-app.csr \
 -subj "/C=EU/ST=IT/L=Rome/O=MyCompany/OU=IT/CN=example-app.mycompany.com"


Generate the certificate:


openssl x509 -req -days 365 -in example-app.csr \
 -signkey example-app.key -out example-app.crt


Create an edge route, adding the private key and the certificate:


oc create route edge \
--service=example-app-service \
--name example-app-route \
--hostname=example-app.mycompany.com \
--key=example-app.key \
--cert=example.crt


Ensure the route is created:


oc get routes
oc get route/example-app-route -o yaml

If everything is ok, you should see your application at:


https://example-app.mycompany.com










No comments:

Post a Comment