Configure OKD OpenShift 4 ingress

In this Post I will show you how you can create multiple ingress route on an OpenShift 4 on premise.

Parst of the Openshift 4 series

What is Ingress Operator

Ingress Operator is an OpenShift component which enables external access to cluster services by configuring Ingress Controllers, which route traffic as specified by OpenShift Route and Kubernetes Ingress resources.

To provide this functionality, Ingress Operator deploys and manages an OpenShift router — a HAProxy-based Kubernetes ingress controller.

Add default certificate for Ingress Operator

Create the secret containing the certificate:

cat tls.crt | base64
LS0tLS1CRUdJTiBDRVJUSUZ...
cat tls.key | base64
LS0tLS1CRUdJTiBQUklWQVR...
nano cert.yaml
---
kind: Secret
apiVersion: v1
metadata:
  name: default-tls-cert
  namespace: openshift-ingress
data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZ...
  tls.key: LS0tLS1CRUdJTiBQUklWQVR...
type: Opaque

Create multiple ingress route

For the example I will create a private and a public rout for the cluster

nano default.yaml
---
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
  name: default
  namespace: openshift-ingress-operator
spec:
  defaultCertificate:
    name: default-tls-cert
  nodePlacement:
    nodeSelector:
      matchLabels:
        node-role.kubernetes.io/ingress-internal: ''
  replicas: 2
nano public.yaml
---
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
  name: public
  namespace: openshift-ingress-operator
spec:
  defaultCertificate:
    name: default-tls-cert
  domain: external.okd.mydomain.intra
  nodePlacement:
    nodeSelector:
      matchLabels:
        node-role.kubernetes.io/ingress-public: ''
  replicas: 2
  routeSelector:
    matchLabels:
      router: public
oc label nodes okd4-worker-1 node-role.kubernetes.io/ingress-internal=""
oc label nodes okd4-worker-2 node-role.kubernetes.io/ingress-internal=""
oc label nodes okd4-worker-3 node-role.kubernetes.io/ingress-public=""
oc label nodes okd4-worker-4 node-role.kubernetes.io/ingress-public=""

oc apply -f cert.yaml
oc apply -f ingress/
oc patch ingresscontroller.operator default --type=merge -p '{"spec":{"defaultCertificate": {"name": "mydióomain-intra-certs"}}}' -n openshift-ingress-operator

enable HTTP/2

oc annotate ingresses.config/cluster ingress.operator.openshift.io/default-enable-http2=true

Add OKD 3.11 type conole url

I used OKD 3.11 and ther the conosle usrl wa master.okd.mydomain.intra so I desided to create the same route for okd4:

nano master-okf-mydomain-intra.yaml
---
kind: Route
apiVersion: route.openshift.io/v1
metadata:
  name: master-okd-mydomain-intra
  namespace: openshift-console
  labels:
    app: console
spec:
  host: master.okd.mydomain.intra
  to:
    kind: Service
    name: console
    weight: 100
  port:
    targetPort: https
  tls:
    termination: reencrypt
    insecureEdgeTerminationPolicy: Redirect
  wildcardPolicy: None