In OpenShift, there are different types of routes in which you can expose your applications, which are: clear, edge, re-encrypt, pass-through. The clear route is insecure and doesn't require any certifications, as for the rest of the routes, they are encrypted on different levels and require certificates. In this tutorial, you will learn how to create 3 types of routes for your applications: clear, edge and passthroug and you will learn the difference in creating each type of route.
For this tutorial you will need:
- Sign up for your IBM Cloud account –
- Red Hat OpenShift Cluster 4 on IBM Cloud.
- oc CLI (can be downloaded from this link or you can use it at http://shell.cloud.ibm.com/.
It will take you around 30 minutes to complete this tutorial.
- Login from the CLI & Create Project
- Setting up
- Create Application
- Expose the Route
- Extract the SSL Cert Secret
- Create Edge Route
- Create Golang Application
- Create Passthrough Route
- Go to the web console and click on your username at the top right then 'Copy Login Command', then display the token and copy the
oc logincommand in your terminal.
- Create
my-route-projectproject.
oc new-project my-route-project
In this section, you will view details about your OpenShift Cluster on IBM Cloud. Details you would be interested in are hostname, SSL Cert Secret Name, and the namespace that holds the secret.
- First, this is the Overview page that shows some details about your cluster like Cluster ID and resource group they can be useful when using ibmcloud CLI to grab some information about your cluster.
- on the top right, click on your profile and select "Log in to CLI and API"
- Copy the IBM Cloud CLI login command and paste it in your CLI
- Select the resource group where your cluster resides (in my case it is default)
ibmcloud target -g default
- View information about your cluster
ibmcloud oc nlb-dns ls --cluster <cluster_name_or_id>
- Create a new deployment resource using the ibmcom/guestbook:v2 docker image in the project we just created.
oc expose deployment myguestbook --type="NodePort" --port=3000
- This deployment creates the corresponding Pod that's in running state. Use the following command to see the list of pods in your namespace.
oc get pods
- reate a Kubernetes ClusterIP service for your app deployment. The service provides an internal IP address for the app that the router can send traffic to.
oc expose deployment myguestbook --type="NodePort" --port=3000
- To view the service that we need to expose. Use the following command.
oc get svc
- Notice that the application isn't accessible externally, we have only exposed the deployment internally, to make it externally accessible use the following command
oc expose svc myguestbook
- Now to get the route using the following command
oc get routes
- copy and paste the link in your browser, you will be redirected to a web page like the following screenshot. Notice that the webpage is not secure because we haven't used any type of encryption yet.
- Since you will be using the same application to create an edge route, make sure to delete the route before moving to the next step
oc delete route myguestbook
- Now let's take a look at the secrets in openshift-ingress project. You will need a TLS secret that's generated for your cluster which is of type kubernetes.io/tls.
oc get secrets -n openshift-ingress
- View the secret values in your command line, notice that the key and certificate pair are saved in PEM encoded files.
oc extract secret/<YOUR-TLS-SECRET-NAME> --to - -n openshift-ingress
- Save the secret in a temporary directory
oc extract secret/<YOUR-TLS-SECRET-NAME> --to=/tmp -n openshift-ingress
- Create the edge route using the following command
oc create route edge --service myguestbook --key /tmp/tls.key --cert /tmp/tls.crt
- Get the route of your application and open it from your browser
oc get routes
- The application has been deployed successfully
- You can check information about the secured website and certificate from the lock icon at the top left of the browser
In this section, you will be deploying a new application that you will be using for passthrough route, then you will create a secret and mount it to the volume so you can create the routes.
- Create the deployment config and service using oc create command.
oc create -f https://raw.githubusercontent.com/nerdingitout/oc-route/main/golang-https.yml
- Create TLS secret using the same secret you extracted earlier.
oc create secret tls mycert --cert /tmp/tls.crt --key /tmp/tls.key
- Mount the secret to your volume.
oc set volume dc/golang-https --add -t secret -m /go/src/app/certs --name cert --secret-name mycert
- Create the passthrough route
oc create route passthrough golang-https --service golang-https
- Get the URL, notice that the termination type is passthrough
oc get routes
- Access the application and view the certificate
You can learn more using the following resources: