If you run a webserver, chances are that you will need a secure edge terminated route with TLS termination occurring on the router before traffic is proxied to the destination.
Create Edge Secured Route
The secure edge terminated route requires a certificate and a key. The TLS certificate is served by the router front end. We want to create a secured route for our PHP application.
Generate a private key:
$ openssl genrsa -out php.key 2048
Generate a CSR:
$ openssl req -new -key php.key -out php.csr \ -subj "/C=GB/ST=London/L=London/O=IT/OU=IT/CN=www.example.com"
Generate a self-signed certificate:
$ openssl x509 -req -days 366 -in php.csr \
-signkey php.key -out php.crt
Get the name of the service that the route will be created for:
$ oc get svc
Create a route using the certificate and the key:
$ oc create route edge \ --service=php-service \ --hostname=www.example.com \ --key=php.key \ --cert=php.crt \ --insecure-policy=Redirect
Nice, I am studying for the OpenShift v4.2 exam and this is really helpful. The issue I was also running into was creating a pass-through route since you then have to mount the certs inside the container. I’ve seen the yaml for it which involves a VolumeMount: and Volume: section or I just ran into this command to get it working without editing the yaml directly.
After you’ve made the TLS secret in the same namespace.
oc set volume dc/dcName –add –type=secret –secret-name=secretName -m /usr/local/etc/ssl/certs/
Thanks Ryan.
Hello,
Can you provide and example on how to create a passthrough secure route on openshift. I’m studying for the EX280 exam and I’m having trouble with this part
Hi Maria, I don’t terminate TLS at the pod level, therefore can’t advise really. Does this help: https://developers.redhat.com/blog/2017/01/24/end-to-end-encryption-with-openshift-part-1-two-way-ssl/