[artemiscloud#557] Fix secure ingress on openshift

brusdev · Feb 19, 2024 · ec63e22 · ec63e22
1 parent 6e33b73
commit ec63e22
Show file tree

Hide file tree

Showing 6 changed files with 214 additions and 24 deletions.
diff --git a/controllers/activemqartemis_controller_test.go b/controllers/activemqartemis_controller_test.go
@@ -82,6 +82,7 @@ import (
 var _ = Describe("artemis controller", func() {
 
 	brokerPropertiesMatchString := "broker.properties"
+	defaultTestIngressDomain := "tests.artemiscloud.io"
 	ingressHostDomainSubString := "apps.artemiscloud.io"
 
 	// see what has changed from the controllers perspective, what we watch
@@ -1848,7 +1849,7 @@ var _ = Describe("artemis controller", func() {
 
 				crd.Spec.Console.Expose = true
 				crd.Spec.Console.SSLEnabled = true
-				crd.Spec.IngressDomain = "tests.artemiscloud.io"
+				crd.Spec.IngressDomain = defaultTestIngressDomain
 
 				isOpenshift, err := common.DetectOpenshift()
 				Expect(err).To(BeNil())
@@ -2028,7 +2029,7 @@ var _ = Describe("artemis controller", func() {
 					IngressHost: specIngressHost,
 				}
 
-				crd.Spec.IngressDomain = "tests.artemiscloud.io"
+				crd.Spec.IngressDomain = defaultTestIngressDomain
 
 				By("deploying broker" + crd.Name)
 				Expect(k8sClient.Create(ctx, &crd)).Should(Succeed())
@@ -2299,9 +2300,11 @@ var _ = Describe("artemis controller", func() {
 	})
 
 	Context("Expose mode test", func() {
-		It("expose console with ingress mode", Label("console", "ingress"), func() {
+		It("expose with ingress mode", Label("console", "acceptor", "connector", "ingress"), func() {
 			By("Deploying a broker with console")
 			brokerCr, createdBrokerCr := DeployCustomBroker(defaultNamespace, func(candidate *brokerv1beta1.ActiveMQArtemis) {
+				candidate.Spec.IngressDomain = defaultTestIngressDomain
+
 				candidate.Spec.Console.Expose = true
 				candidate.Spec.Console.ExposeMode = &brokerv1beta1.ExposeModes.Ingress
 
@@ -2334,7 +2337,7 @@ var _ = Describe("artemis controller", func() {
 				g.Expect(k8sClient.Get(ctx, ingKey, &ingress)).To(Succeed())
 
 				g.Expect(len(ingress.Spec.Rules)).To(Equal(1))
-				g.Expect(ingress.Spec.Rules[0].Host).To(ContainSubstring(ingressHostDomainSubString))
+				g.Expect(ingress.Spec.Rules[0].Host).To(ContainSubstring(defaultTestIngressDomain))
 				g.Expect(len(ingress.Spec.Rules[0].HTTP.Paths)).To(BeEquivalentTo(1))
 				g.Expect(ingress.Spec.Rules[0].HTTP.Paths[0].Backend.Service.Name).To(BeEquivalentTo(brokerCr.Name + "-wconsj-0-svc"))
 				g.Expect(ingress.Spec.Rules[0].HTTP.Paths[0].Backend.Service.Port.Name).To(BeEquivalentTo("wconsj-0"))
@@ -2343,6 +2346,21 @@ var _ = Describe("artemis controller", func() {
 
 			}, existingClusterTimeout, existingClusterInterval).Should(Succeed())
 
+			if isOpenshift || isIngressSSLPassthroughEnabled {
+				host := ingress.Name + "." + brokerCr.Spec.IngressDomain
+
+				By("check console is reachable")
+				httpClient := http.Client{Timeout: timeout, Transport: &http.Transport{
+					DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+						return (&net.Dialer{}).DialContext(ctx, network, clusterIngressHost+":80")
+					}}}
+				Eventually(func(g Gomega) {
+					res, err := httpClient.Get("http://" + host + "/console")
+					g.Expect(err).NotTo(HaveOccurred())
+					g.Expect(res.StatusCode).Should(Equal(200))
+				}, existingClusterTimeout, existingClusterInterval).Should(Succeed())
+			}
+
 			By("check ingress is created for acceptor")
 			ingKey = types.NamespacedName{
 				Name:      brokerCr.Name + "-acceptor-0-svc-ing",
@@ -2352,7 +2370,7 @@ var _ = Describe("artemis controller", func() {
 				g.Expect(k8sClient.Get(ctx, ingKey, &ingress)).To(Succeed())
 
 				g.Expect(len(ingress.Spec.Rules)).To(Equal(1))
-				g.Expect(ingress.Spec.Rules[0].Host).To(Equal(brokerCr.Name + "-acceptor-0-svc-ing." + ingressHostDomainSubString))
+				g.Expect(ingress.Spec.Rules[0].Host).To(Equal(brokerCr.Name + "-acceptor-0-svc-ing." + defaultTestIngressDomain))
 				g.Expect(len(ingress.Spec.Rules[0].HTTP.Paths)).To(BeEquivalentTo(1))
 				g.Expect(ingress.Spec.Rules[0].HTTP.Paths[0].Backend.Service.Name).To(Equal(brokerCr.Name + "-acceptor-0-svc"))
 				g.Expect(ingress.Spec.Rules[0].HTTP.Paths[0].Backend.Service.Port.Name).To(Equal("acceptor-0"))
@@ -2370,7 +2388,7 @@ var _ = Describe("artemis controller", func() {
 				g.Expect(k8sClient.Get(ctx, ingKey, &ingress)).To(Succeed())
 
 				g.Expect(len(ingress.Spec.Rules)).To(Equal(1))
-				g.Expect(ingress.Spec.Rules[0].Host).To(Equal(brokerCr.Name + "-connector-0-svc-ing." + ingressHostDomainSubString))
+				g.Expect(ingress.Spec.Rules[0].Host).To(Equal(brokerCr.Name + "-connector-0-svc-ing." + defaultTestIngressDomain))
 				g.Expect(len(ingress.Spec.Rules[0].HTTP.Paths)).To(BeEquivalentTo(1))
 				g.Expect(ingress.Spec.Rules[0].HTTP.Paths[0].Backend.Service.Name).To(Equal(brokerCr.Name + "-connector-0-svc"))
 				g.Expect(ingress.Spec.Rules[0].HTTP.Paths[0].Backend.Service.Port.Name).To(Equal("connector-0"))
@@ -2382,7 +2400,164 @@ var _ = Describe("artemis controller", func() {
 			CleanResource(createdBrokerCr, createdBrokerCr.Name, defaultNamespace)
 		})
 
-		It("expose console with route mode", Label("console", "ingress"), func() {
+		It("expose with secure ingress mode", Label("console", "acceptor", "conector", "ingress", "ssl"), func() {
+			var sslSecret *corev1.Secret
+
+			By("Deploying a broker with SSL secret")
+			brokerCr, createdBrokerCr := DeployCustomBroker(defaultNamespace, func(candidate *brokerv1beta1.ActiveMQArtemis) {
+
+				By("deploying ssl secret")
+				var sslSecretErr error
+				sslSecretName := candidate.Name + "-ssl-secret"
+				sslSecret, sslSecretErr = CreateTlsSecret(sslSecretName, defaultNamespace, defaultPassword, defaultSanDnsNames)
+				Expect(sslSecretErr).To(BeNil())
+				Expect(k8sClient.Create(ctx, sslSecret)).Should(Succeed())
+
+				candidate.Spec.IngressDomain = defaultTestIngressDomain
+				candidate.Spec.Console.Expose = true
+				candidate.Spec.Console.ExposeMode = &brokerv1beta1.ExposeModes.Ingress
+				candidate.Spec.Console.SSLEnabled = true
+				candidate.Spec.Console.SSLSecret = sslSecretName
+
+				candidate.Spec.Acceptors = []brokerv1beta1.AcceptorType{
+					{
+						Name:       "acceptor",
+						Port:       61617,
+						Expose:     true,
+						ExposeMode: &brokerv1beta1.ExposeModes.Ingress,
+						SSLEnabled: true,
+						SSLSecret:  sslSecretName,
+					},
+				}
+
+				candidate.Spec.Connectors = []brokerv1beta1.ConnectorType{
+					{
+						Name:       "connector",
+						Port:       61617,
+						Expose:     true,
+						ExposeMode: &brokerv1beta1.ExposeModes.Ingress,
+						SSLEnabled: true,
+						SSLSecret:  sslSecretName,
+					},
+				}
+			})
+
+			By("check ingress is created for console")
+			ingKey := types.NamespacedName{
+				Name:      brokerCr.Name + "-wconsj-0-svc-ing",
+				Namespace: defaultNamespace,
+			}
+			ingress := netv1.Ingress{}
+			Eventually(func(g Gomega) {
+				g.Expect(k8sClient.Get(ctx, ingKey, &ingress)).To(Succeed())
+
+				g.Expect(len(ingress.Spec.Rules)).To(Equal(1))
+				g.Expect(ingress.Spec.Rules[0].Host).To(ContainSubstring(defaultTestIngressDomain))
+				g.Expect(len(ingress.Spec.Rules[0].HTTP.Paths)).To(BeEquivalentTo(1))
+				g.Expect(ingress.Spec.Rules[0].HTTP.Paths[0].Backend.Service.Name).To(BeEquivalentTo(brokerCr.Name + "-wconsj-0-svc"))
+				g.Expect(ingress.Spec.Rules[0].HTTP.Paths[0].Backend.Service.Port.Name).To(BeEquivalentTo("wconsj-0"))
+
+				if isOpenshift {
+					g.Expect(ingress.Spec.Rules[0].HTTP.Paths[0].Path).To(BeEquivalentTo(""))
+					g.Expect(*ingress.Spec.Rules[0].HTTP.Paths[0].PathType).To(BeEquivalentTo(netv1.PathTypeImplementationSpecific))
+				} else {
+					g.Expect(ingress.Spec.Rules[0].HTTP.Paths[0].Path).To(BeEquivalentTo("/"))
+					g.Expect(*ingress.Spec.Rules[0].HTTP.Paths[0].PathType).To(BeEquivalentTo(netv1.PathTypePrefix))
+
+					g.Expect(len(ingress.Spec.TLS)).To(BeEquivalentTo(1))
+					g.Expect(len(ingress.Spec.TLS[0].Hosts)).To(BeEquivalentTo(1))
+					g.Expect(ingress.Spec.TLS[0].Hosts[0]).To(ContainSubstring(defaultTestIngressDomain))
+				}
+			}, existingClusterTimeout, existingClusterInterval).Should(Succeed())
+
+			if isOpenshift || isIngressSSLPassthroughEnabled {
+				host := ingress.Name + "." + brokerCr.Spec.IngressDomain
+
+				By("check console is reachable")
+				httpClient := http.Client{Timeout: timeout, Transport: &http.Transport{
+					DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+						return (&net.Dialer{}).DialContext(ctx, network, clusterIngressHost+":443")
+					}, TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}}
+				Eventually(func(g Gomega) {
+					res, err := httpClient.Get("https://" + host + "/console")
+					g.Expect(err).NotTo(HaveOccurred())
+					g.Expect(res.StatusCode).Should(Equal(200))
+				}, existingClusterTimeout, existingClusterInterval).Should(Succeed())
+			}
+
+			By("check ingress is created for acceptor")
+			ingKey = types.NamespacedName{
+				Name:      brokerCr.Name + "-acceptor-0-svc-ing",
+				Namespace: defaultNamespace,
+			}
+			Eventually(func(g Gomega) {
+				g.Expect(k8sClient.Get(ctx, ingKey, &ingress)).To(Succeed())
+
+				g.Expect(len(ingress.Spec.Rules)).To(Equal(1))
+				g.Expect(ingress.Spec.Rules[0].Host).To(Equal(brokerCr.Name + "-acceptor-0-svc-ing." + defaultTestIngressDomain))
+				g.Expect(len(ingress.Spec.Rules[0].HTTP.Paths)).To(BeEquivalentTo(1))
+				g.Expect(ingress.Spec.Rules[0].HTTP.Paths[0].Backend.Service.Name).To(Equal(brokerCr.Name + "-acceptor-0-svc"))
+				g.Expect(ingress.Spec.Rules[0].HTTP.Paths[0].Backend.Service.Port.Name).To(Equal("acceptor-0"))
+
+				if isOpenshift {
+					g.Expect(ingress.Spec.Rules[0].HTTP.Paths[0].Path).To(BeEquivalentTo(""))
+					g.Expect(*ingress.Spec.Rules[0].HTTP.Paths[0].PathType).To(BeEquivalentTo(netv1.PathTypeImplementationSpecific))
+				} else {
+					g.Expect(ingress.Spec.Rules[0].HTTP.Paths[0].Path).To(BeEquivalentTo("/"))
+					g.Expect(*ingress.Spec.Rules[0].HTTP.Paths[0].PathType).To(BeEquivalentTo(netv1.PathTypePrefix))
+
+					g.Expect(len(ingress.Spec.TLS)).To(BeEquivalentTo(1))
+					g.Expect(len(ingress.Spec.TLS[0].Hosts)).To(BeEquivalentTo(1))
+					g.Expect(ingress.Spec.TLS[0].Hosts[0]).To(ContainSubstring(defaultTestIngressDomain))
+				}
+			}, existingClusterTimeout, existingClusterInterval).Should(Succeed())
+
+			if isOpenshift || isIngressSSLPassthroughEnabled {
+				host := ingress.Name + "." + brokerCr.Spec.IngressDomain
+
+				By("check acceptor is reachable")
+				Eventually(func(g Gomega) {
+					url := "amqps://" + clusterIngressHost + ":443"
+					connTLSConfig := amqp.ConnTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true})
+					client, err := amqp.Dial(url, amqp.ConnSASLPlain("dummy-user", "dummy-pass"), amqp.ConnTLS(true), connTLSConfig)
+					g.Expect(err).Should(BeNil())
+					g.Expect(client).ShouldNot(BeNil())
+					defer client.Close()
+				}, existingClusterTimeout, existingClusterInterval).Should(Succeed())
+			}
+
+			By("check ingress is created for connector")
+			ingKey = types.NamespacedName{
+				Name:      brokerCr.Name + "-connector-0-svc-ing",
+				Namespace: defaultNamespace,
+			}
+			Eventually(func(g Gomega) {
+				g.Expect(k8sClient.Get(ctx, ingKey, &ingress)).To(Succeed())
+
+				g.Expect(len(ingress.Spec.Rules)).To(Equal(1))
+				g.Expect(ingress.Spec.Rules[0].Host).To(Equal(brokerCr.Name + "-connector-0-svc-ing." + defaultTestIngressDomain))
+				g.Expect(len(ingress.Spec.Rules[0].HTTP.Paths)).To(BeEquivalentTo(1))
+				g.Expect(ingress.Spec.Rules[0].HTTP.Paths[0].Backend.Service.Name).To(Equal(brokerCr.Name + "-connector-0-svc"))
+				g.Expect(ingress.Spec.Rules[0].HTTP.Paths[0].Backend.Service.Port.Name).To(Equal("connector-0"))
+
+				if isOpenshift {
+					g.Expect(ingress.Spec.Rules[0].HTTP.Paths[0].Path).To(BeEquivalentTo(""))
+					g.Expect(*ingress.Spec.Rules[0].HTTP.Paths[0].PathType).To(BeEquivalentTo(netv1.PathTypeImplementationSpecific))
+				} else {
+					g.Expect(ingress.Spec.Rules[0].HTTP.Paths[0].Path).To(BeEquivalentTo("/"))
+					g.Expect(*ingress.Spec.Rules[0].HTTP.Paths[0].PathType).To(BeEquivalentTo(netv1.PathTypePrefix))
+
+					g.Expect(len(ingress.Spec.TLS)).To(BeEquivalentTo(1))
+					g.Expect(len(ingress.Spec.TLS[0].Hosts)).To(BeEquivalentTo(1))
+					g.Expect(ingress.Spec.TLS[0].Hosts[0]).To(ContainSubstring(defaultTestIngressDomain))
+				}
+			}, existingClusterTimeout, existingClusterInterval).Should(Succeed())
+
+			CleanResource(createdBrokerCr, createdBrokerCr.Name, defaultNamespace)
+			CleanResource(sslSecret, sslSecret.Name, defaultNamespace)
+		})
+
+		It("expose with route mode", Label("console", "acceptor", "connector", "route"), func() {
 			By("Deploying a broker with console")
 			brokerCr, createdBrokerCr := DeployCustomBroker(defaultNamespace, func(candidate *brokerv1beta1.ActiveMQArtemis) {
 				candidate.Spec.Console.Expose = true
@@ -2421,8 +2596,6 @@ var _ = Describe("artemis controller", func() {
 					g.Expect(route.Spec.Port.TargetPort).To(Equal(intstr.FromString("wconsj-0")))
 					g.Expect(route.Spec.To.Kind).To(Equal("Service"))
 					g.Expect(route.Spec.To.Name).To(Equal(brokerCr.Name + "-wconsj-0-svc"))
-					g.Expect(route.Spec.TLS.Termination).To(BeEquivalentTo(routev1.TLSTerminationPassthrough))
-					g.Expect(route.Spec.TLS.InsecureEdgeTerminationPolicy).To(BeEquivalentTo(routev1.InsecureEdgeTerminationPolicyNone))
 				}, existingClusterTimeout, existingClusterInterval).Should(Succeed())
 
 				By("checking route is created for acceptor")
@@ -2435,8 +2608,6 @@ var _ = Describe("artemis controller", func() {
 					g.Expect(route.Spec.Port.TargetPort).To(Equal(intstr.FromString("acceptor-0")))
 					g.Expect(route.Spec.To.Kind).To(Equal("Service"))
 					g.Expect(route.Spec.To.Name).To(Equal(brokerCr.Name + "-acceptor-0-svc"))
-					g.Expect(route.Spec.TLS.Termination).To(BeEquivalentTo(routev1.TLSTerminationPassthrough))
-					g.Expect(route.Spec.TLS.InsecureEdgeTerminationPolicy).To(BeEquivalentTo(routev1.InsecureEdgeTerminationPolicyNone))
 				}, existingClusterTimeout, existingClusterInterval).Should(Succeed())
 
 				By("checking route is created for connector")
@@ -2449,8 +2620,6 @@ var _ = Describe("artemis controller", func() {
 					g.Expect(route.Spec.Port.TargetPort).To(Equal(intstr.FromString("connector-0")))
 					g.Expect(route.Spec.To.Kind).To(Equal("Service"))
 					g.Expect(route.Spec.To.Name).To(Equal(brokerCr.Name + "-connector-0-svc"))
-					g.Expect(route.Spec.TLS.Termination).To(BeEquivalentTo(routev1.TLSTerminationPassthrough))
-					g.Expect(route.Spec.TLS.InsecureEdgeTerminationPolicy).To(BeEquivalentTo(routev1.InsecureEdgeTerminationPolicyNone))
 				}, existingClusterTimeout, existingClusterInterval).Should(Succeed())
 			} else {
 				brokerKey := types.NamespacedName{Name: brokerCr.Name, Namespace: brokerCr.Namespace}

diff --git a/controllers/activemqartemis_reconciler.go b/controllers/activemqartemis_reconciler.go
@@ -807,7 +807,7 @@ func (reconciler *ActiveMQArtemisReconcilerImpl) ExposureDefinitionForCR(customR
 			existing = obj.(*netv1.Ingress)
 		}
 		brokerHost := formatTemplatedString(customResource, ingressHost, ordinalString, itemName, IngressTypePostfix)
-		return ingresses.NewIngressForCRWithSSL(existing, namespacedName, labels, targetServiceName, targetPortName, passthroughTLS, customResource.Spec.IngressDomain, brokerHost)
+		return ingresses.NewIngressForCRWithSSL(existing, namespacedName, labels, targetServiceName, targetPortName, passthroughTLS, customResource.Spec.IngressDomain, brokerHost, isOpenshift)
 	}
 }
 
@@ -1077,7 +1077,7 @@ func (reconciler *ActiveMQArtemisReconcilerImpl) configureConsoleExposure(custom
 					existing = obj.(*netv1.Ingress)
 				}
 				brokerHost := formatTemplatedString(customResource, customResource.Spec.Console.IngressHost, ordinalString, consoleName, IngressTypePostfix)
-				ingressDefinition := ingresses.NewIngressForCRWithSSL(existing, namespacedName, serviceRoutelabels, targetServiceName, targetPortName, console.SSLEnabled, customResource.Spec.IngressDomain, brokerHost)
+				ingressDefinition := ingresses.NewIngressForCRWithSSL(existing, namespacedName, serviceRoutelabels, targetServiceName, targetPortName, console.SSLEnabled, customResource.Spec.IngressDomain, brokerHost, isOpenshift)
 				reconciler.trackDesired(ingressDefinition)
 			}
 		}

diff --git a/controllers/suite_test.go b/controllers/suite_test.go
@@ -27,6 +27,7 @@ import (
 	"strconv"
 	"time"
 
+	configv1 "github.com/openshift/api/config/v1"
 	routev1 "github.com/openshift/api/route/v1"
 	"go.uber.org/zap/zapcore"
 
@@ -97,6 +98,9 @@ var (
 	// the cluster url
 	clusterUrl *url.URL
 
+	// the cluster ingress host
+	clusterIngressHost string
+
 	// the manager may be stopped/restarted via tests
 	managerCtx    context.Context
 	managerCancel context.CancelFunc
@@ -174,11 +178,17 @@ func setUpEnvTest() {
 }
 
 func setUpIngressSSLPassthrough() {
-	isIngressSSLPassthroughEnabled = false
+	clusterIngressHost = clusterUrl.Hostname()
 
-	if isOpenshift {
+	ingressConfig := &configv1.Ingress{}
+	ingressConfigKey := types.NamespacedName{Name: "cluster"}
+	ingressConfigErr := k8sClient.Get(ctx, ingressConfigKey, ingressConfig)
+
+	if ingressConfigErr == nil {
 		isIngressSSLPassthroughEnabled = true
+		clusterIngressHost = "ingress." + ingressConfig.Spec.Domain
 	} else {
+		isIngressSSLPassthroughEnabled = false
 		ingressNginxControllerDeployment := &appsv1.Deployment{}
 		ingressNginxControllerDeploymentKey := types.NamespacedName{Name: "ingress-nginx-controller", Namespace: "ingress-nginx"}
 		err := k8sClient.Get(ctx, ingressNginxControllerDeploymentKey, ingressNginxControllerDeployment)
@@ -574,7 +584,10 @@ func setUpK8sClient() {
 
 	ctrl.Log.Info("Setting up k8s client")
 
-	err := routev1.AddToScheme(scheme.Scheme)
+	err := configv1.AddToScheme(scheme.Scheme)
+	Expect(err).NotTo(HaveOccurred())
+
+	err = routev1.AddToScheme(scheme.Scheme)
 	Expect(err).NotTo(HaveOccurred())
 
 	err = brokerv2alpha5.AddToScheme(scheme.Scheme)

diff --git a/go.mod b/go.mod
@@ -9,7 +9,7 @@ require (
 	github.com/golang/mock v1.6.0
 	github.com/onsi/ginkgo/v2 v2.13.0
 	github.com/onsi/gomega v1.28.1
-	github.com/openshift/api v3.9.0+incompatible
+	github.com/openshift/api v0.0.1
 	github.com/pkg/errors v0.9.1
 	github.com/stretchr/testify v1.8.4
 	go.uber.org/zap v1.25.0

diff --git a/go.sum b/go.sum
@@ -100,8 +100,8 @@ github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4
 github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o=
 github.com/onsi/gomega v1.28.1 h1:MijcGUbfYuznzK/5R4CPNoUP/9Xvuo20sXfEm6XxoTA=
 github.com/onsi/gomega v1.28.1/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
-github.com/openshift/api v3.9.0+incompatible h1:fJ/KsefYuZAjmrr3+5U9yZIZbTOpVkDDLDLFresAeYs=
-github.com/openshift/api v3.9.0+incompatible/go.mod h1:dh9o4Fs58gpFXGSYfnVxGR9PnV53I8TW84pQaJDdGiY=
+github.com/openshift/api v0.0.1 h1:i8SdJ41c7gqwssxxr7/V3x1vGDBzulkLZVewfCH6z6I=
+github.com/openshift/api v0.0.1/go.mod h1:yimSGmjsI+XF1mr+AKBs2//fSXIOhhetHGbMlBEfXbs=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=

diff --git a/pkg/resources/ingresses/ingress.go b/pkg/resources/ingresses/ingress.go
@@ -9,7 +9,7 @@ import (
 
 const defaultIngressDomain string = "apps.artemiscloud.io"
 
-func NewIngressForCRWithSSL(existing *netv1.Ingress, namespacedName types.NamespacedName, labels map[string]string, targetServiceName string, targetPortName string, sslEnabled bool, domain string, brokerHost string) *netv1.Ingress {
+func NewIngressForCRWithSSL(existing *netv1.Ingress, namespacedName types.NamespacedName, labels map[string]string, targetServiceName string, targetPortName string, sslEnabled bool, domain string, brokerHost string, isOpenshift bool) *netv1.Ingress {
 
 	pathType := netv1.PathTypePrefix
 
@@ -83,8 +83,16 @@ func NewIngressForCRWithSSL(existing *netv1.Ingress, namespacedName types.Namesp
 		if desired.Annotations == nil {
 			desired.Annotations = make(map[string]string)
 		}
-		desired.Annotations["nginx.ingress.kubernetes.io/ssl-passthrough"] = "true"
-		desired.Spec.TLS = []netv1.IngressTLS{{Hosts: []string{host}}}
+
+		if isOpenshift {
+			pathType = netv1.PathTypeImplementationSpecific
+			desired.Annotations["route.openshift.io/termination"] = "passthrough"
+			desired.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].Path = ""
+			desired.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathType
+		} else {
+			desired.Annotations["nginx.ingress.kubernetes.io/ssl-passthrough"] = "true"
+			desired.Spec.TLS = []netv1.IngressTLS{{Hosts: []string{host}}}
+		}
 	}
 	return desired
 }