In this exercise you will set up your application to encrypt traffic with the OpenShift Wildcard certificate.
Step 1: Switch to an existing project
For this exercise, we will use an application that we created before. We will be using the binarydeploy-UserName that you created in the previous labs. Make sure you are switched to that project by using the oc project command. Remember to substitute UserName.
$ oc project binarydeploy-UserName
Step 2: View the routing config
To view the routing config you will need to use the oc get route
command
$ oc get route/myapp -o yaml apiVersion: v1 kind: Route metadata: annotations: openshift.io/host.generated: "true" creationTimestamp: 2018-04-09T15:40:04Z labels: app: myapp name: myapp namespace: jimgarrett resourceVersion: "127925718" selfLink: /oapi/v1/namespaces/jimgarrett/routes/myapp uid: 45bc5aec-3c0c-11e8-888a-02722ccca8d2 spec: host: myapp-jimgarrett.apps.rhpds.openshift.opentlc.com port: targetPort: 8080-tcp to: kind: Service name: myapp weight: 100 wildcardPolicy: None status: ingress: - conditions: - lastTransitionTime: 2018-04-09T15:40:04Z status: "True" type: Admitted host: myapp-jimgarrett.apps.rhpds.openshift.opentlc.com routerName: router wildcardPolicy: None
Note here that the host:
is set to the FQDN that your application is
running on.
Currently the routing component of OpenShift 3 supports ports 80
and
443
. When you first create your route, the mapping of 80
to your pod
is done automatically. There are a few things that need to be done in
order to get the 443
mapping to work.
Step 3: TLS Edge Termination
OpenShift has a wildcard SSL certificate that it can use for any application. We can use this SSL certificate to serve SSL from our application without having to generate a cert of our own (which is sometimes called SSL-offloading).
Edit your routing configuration:
oc edit route/myapp
You are going to add tls: termination: edge
right below the host:
section. It should look something like this.
apiVersion: v1 kind: Route metadata: annotations: openshift.io/host.generated: "true" creationTimestamp: 2018-04-09T15:40:04Z labels: app: myapp name: myapp namespace: jimgarrett resourceVersion: "127925718" selfLink: /oapi/v1/namespaces/jimgarrett/routes/myapp uid: 45bc5aec-3c0c-11e8-888a-02722ccca8d2 spec: host: myapp-jimgarrett.apps.rhpds.openshift.opentlc.com tls: termination: edge port: targetPort: 8080-tcp to: kind: Service name: myapp weight: 100 wildcardPolicy: None status: ingress: - conditions: - lastTransitionTime: 2018-04-09T15:40:04Z status: "True" type: Admitted host: myapp-jimgarrett.apps.rhpds.openshift.opentlc.com routerName: router wildcardPolicy: None
Step 4: Verify
The Route for the application should now reflect the SSL connection (i.e. https verses http in the link).
Please click on the new Route and verify the new Route works as expected.
Congratulations!! In this exercise you have learned about service SSL from your application
Let’s clean up the project.
oc delete project binarydeploy-UserName