In this exercise you will set up your application to encrypt traffic with the OpenShift Wildcard certificate.
Step 1: Switch to an existing project
For this exercise, we will use an application that we created before. We will be using the binarydeploy-UserName that you created in the previous labs. Make sure you are switched to that project by using the oc project command. Remember to substitute UserName.
$ oc project binarydeploy-UserName
Step 2: View the routing config
To view the routing config you will need to use the oc get route
command
$ oc get route/myapp -o yaml
apiVersion: v1
kind: Route
metadata:
annotations:
openshift.io/host.generated: "true"
creationTimestamp: 2018-04-09T15:40:04Z
labels:
app: myapp
name: myapp
namespace: jimgarrett
resourceVersion: "127925718"
selfLink: /oapi/v1/namespaces/jimgarrett/routes/myapp
uid: 45bc5aec-3c0c-11e8-888a-02722ccca8d2
spec:
host: myapp-jimgarrett.apps.rhpds.openshift.opentlc.com
port:
targetPort: 8080-tcp
to:
kind: Service
name: myapp
weight: 100
wildcardPolicy: None
status:
ingress:
- conditions:
- lastTransitionTime: 2018-04-09T15:40:04Z
status: "True"
type: Admitted
host: myapp-jimgarrett.apps.rhpds.openshift.opentlc.com
routerName: router
wildcardPolicy: None
Note here that the host: is set to the FQDN that your application is
running on.
Currently the routing component of OpenShift 3 supports ports 80 and
443. When you first create your route, the mapping of 80 to your pod
is done automatically. There are a few things that need to be done in
order to get the 443 mapping to work.
Step 3: TLS Edge Termination
OpenShift has a wildcard SSL certificate that it can use for any application. We can use this SSL certificate to serve SSL from our application without having to generate a cert of our own (which is sometimes called SSL-offloading).
Edit your routing configuration:
oc edit route/myapp
You are going to add tls: termination: edge right below the host:
section. It should look something like this.
apiVersion: v1
kind: Route
metadata:
annotations:
openshift.io/host.generated: "true"
creationTimestamp: 2018-04-09T15:40:04Z
labels:
app: myapp
name: myapp
namespace: jimgarrett
resourceVersion: "127925718"
selfLink: /oapi/v1/namespaces/jimgarrett/routes/myapp
uid: 45bc5aec-3c0c-11e8-888a-02722ccca8d2
spec:
host: myapp-jimgarrett.apps.rhpds.openshift.opentlc.com
tls:
termination: edge
port:
targetPort: 8080-tcp
to:
kind: Service
name: myapp
weight: 100
wildcardPolicy: None
status:
ingress:
- conditions:
- lastTransitionTime: 2018-04-09T15:40:04Z
status: "True"
type: Admitted
host: myapp-jimgarrett.apps.rhpds.openshift.opentlc.com
routerName: router
wildcardPolicy: None
Step 4: Verify
The Route for the application should now reflect the SSL connection (i.e. https verses http in the link).
Please click on the new Route and verify the new Route works as expected.
Congratulations!! In this exercise you have learned about service SSL from your application
Let’s clean up the project.
oc delete project binarydeploy-UserName