Configure OKD OpenShift 4 ingress

December 13, 2021

Page content

In this Post I will show you how you can create multiple ingress route on an OpenShift 4 on premise.

Parts of the Openshift 4 series

Part1a: Install Opeshift 4
Part1b: Install Opeshift 4 with calico
Part1c: Install Opeshift 4 with cilium
Part2: Configure OKD OpenShift 4 ingress
Part3: Configure OKD OpenShift 4 authentication
Part4: Configure OKD OpenShift 4 Ceph Persisten Storage
Part5: Configuringure OKD OpenShift 4 registry for bare metal
Part6a: Install Cluster Logging Operator on OpenShift 4
Part6b: Openshift: Log4Shell - Remote Code Execution (CVE-2021-44228) (CVE-2021-4104)
Part7: Understand OKD OpenShift 4 Buildconfig Configurations
Part8: Install RadHat OpenShift pipelines (Tekton) OKD 4

What is Ingress Operator

Ingress Operator is an OpenShift component which enables external access to cluster services by configuring Ingress Controllers, which route traffic as specified by OpenShift Route and Kubernetes Ingress resources.

To provide this functionality, Ingress Operator deploys and manages an OpenShift router — a HAProxy-based Kubernetes ingress controller.

Add default certificate for Ingress Operator

Create the secret containing the certificate:

cat tls.crt | base64
LS0tLS1CRUdJTiBDRVJUSUZ...
cat tls.key | base64
LS0tLS1CRUdJTiBQUklWQVR...

Always use the full certificate chain for thi ingress secret

nano cert.yaml
---
kind: Secret
apiVersion: v1
metadata:
  name: default-tls-cert
  namespace: openshift-ingress
data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZ...
  tls.key: LS0tLS1CRUdJTiBQUklWQVR...
type: Opaque
---
kind: Secret
apiVersion: v1
metadata:
  name: default-tls-cert
  namespace: openshift-config
data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZ...
  tls.key: LS0tLS1CRUdJTiBQUklWQVR...
type: Opaque

Create multiple ingress route

For the example I will create a private and a public rout for the cluster

nano default.yaml
---
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
  name: default
  namespace: openshift-ingress-operator
spec:
  defaultCertificate:
    name: default-tls-cert
  nodePlacement:
    nodeSelector:
      matchLabels:
        node-role.kubernetes.io/ingress-internal: ''
  replicas: 2

nano public.yaml
---
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
  name: public
  namespace: openshift-ingress-operator
spec:
  defaultCertificate:
    name: default-tls-cert
  domain: external.okd.mydomain.intra
  nodePlacement:
    nodeSelector:
      matchLabels:
        node-role.kubernetes.io/ingress-public: ''
  replicas: 2
  routeSelector:
    matchLabels:
      router: public

oc label nodes okd4-worker-1 node-role.kubernetes.io/ingress-internal=""
oc label nodes okd4-worker-2 node-role.kubernetes.io/ingress-internal=""
oc label nodes okd4-worker-3 node-role.kubernetes.io/ingress-public=""
oc label nodes okd4-worker-4 node-role.kubernetes.io/ingress-public=""

oc apply -f cert.yaml
oc apply -f ingress/
oc patch ingresscontroller.operator default --type=merge -p '{"spec":{"defaultCertificate": {"name": "default-tls-cert"}}}' -n openshift-ingress-operator
oc patch consoles.operator.openshift.io cluster --type=merge -p '{"spec":{"route":{"secret":{"name": "default-tls-cert"}}}}' -n openshift-config

enable HTTP/2

oc annotate ingresses.config/cluster ingress.operator.openshift.io/default-enable-http2=true

Add OKD 3.11 type conole url

I used OKD 3.11 and ther the conosle usrl wa master.okd.mydomain.intra so I desided to create the same route for okd4:

nano master-okf-mydomain-intra.yaml
---
kind: Route
apiVersion: route.openshift.io/v1
metadata:
  name: master-okd-mydomain-intra
  namespace: openshift-console
  labels:
    app: console
spec:
  host: master.okd.mydomain.intra
  to:
    kind: Service
    name: console
    weight: 100
  port:
    targetPort: https
  tls:
    termination: reencrypt
    insecureEdgeTerminationPolicy: Redirect
  wildcardPolicy: None