This blog post is about an example usage of the awesome tutorial made by Masa Abushamleh at IBM Developer called Secure routes for your microservices on Red Hat OpenShift. I applied the content, with some small modifications, to my existing example application. It’s the same application I used in this blog post Using the internal OpenShift container registry to deploy an application.
Let us begin with a recap of route/router definitions:
“An OpenShift route is a way to expose a service by giving it an externally-reachable hostname like http://www.example.com . A defined route and the endpoints identified by its service can be consumed by a router to provide named connectivity that allows external clients to reach your applications.” Source Red Hat OpenShift documentation
“An edge router is a specialized router located at a network boundary that enables an internal network to connect to external networks. They are primarily used at two demarcation points: the wide area network (WAN) and the internet.” Source What is an edge router? written by Ben Lutkevich, Technical Writer
I reused the existing tls secret and the given domain of the ingress configuration for the running Red Hat OpenShift cluster on IBM Cloud to create that secured route.
The next few steps are included in the bash script implementation to create a custom secured route. The automation in this bash script is the same for all other remaining steps except for route creation, which is a part of that blog post. For details and dependencies, see my related blog post Using the internal OpenShift container registry to deploy an application. That means, you can follow the application installation instructions in that blog post, you only need to ensure you are in the branch “vend-sec-rout“.
This is the branch (“vend-sec-rout“) of my GitHub repository that contains the following extracted automation, and here is the direct link to this bash script that you can find in the createSecureRoute function. In case if you want to check it out by yourself ;-).
Step 1: Get the ingress domain of the cluster¶
echo "-> get ingress domain of the cluster"
OS_DOMAIN=$(oc get ingresses.config/cluster -o jsonpath={.spec.domain})
echo "-> domain: $OS_DOMAIN"
Step 2: Get the ingress secret of the cluster¶
echo "-> get ingress secret of the cluster"
export INGRESS_SECRET=$(oc get secrets -n openshift-ingress | grep "$OS_CLUSTERNAME" | awk '{print $1;}')
echo "-> secret: $INGRESS_SECRET"
Step 3: Save the ingress secret key and the certificate in temporay files¶
echo "-> export secret"
oc extract secret/$INGRESS_SECRET --to=../secrets -n openshift-ingress
Step 4: Create a custom hostname with the existing domain and your custom name¶
echo "-> create hostname"
NAME=vend-sec
export OS_HOSTNAME=$NAME.$OS_DOMAIN
Step 5: Now create an edge route¶
I’m not using a yaml file for this automation. I’m using the OpenShift CLI to create the route with the following parameters.
- Service:
vend-serviceMy service name - Key:
../secrets/tls.keyThe tls.key file I extracted in step 3. - Cert:
../secrets/tls.crtThe tls.crt file I extracted in step 3. - Hostname:
$OS_HOSTNAMEThe hostname I created in step 4. - Port:
3000My Node.js application is listen on port 3000.
Then I delete the secret files that are no longer needed.
echo "-> create route"
oc create route edge vend-sec-route \
--service vend-service \
--key ../secrets/tls.key \
--cert ../secrets/tls.crt \
--hostname=$OS_HOSTNAME \
--port=3000
rm -f ../secrets/tls.crt
rm -f ../secrets/tls.key
Summary¶
As a first step for an example implementation of an example application, it’s awesome just to reuse the existing tls secret and the given domain of the ingress configuration for the running Red Hat OpenShift cluster on IBM Cloud, to create a customized route for a running application at the cluster.
I hope this was useful for you and let’s see what’s next?
Greetings,
Thomas
#ibmcloud, #container, #roks, #route, #openshift, #ingress, #edge
Thomas Suedbroecker's Blog 