Skip to content

Commit deda7a0

Browse files
authored
Merge pull request #75234 from michaelryanmcneill/OSDOCS-9608
2 parents b9d7589 + 87d0f38 commit deda7a0

File tree

2 files changed

+254
-0
lines changed

2 files changed

+254
-0
lines changed

_topic_maps/_topic_map_rosa.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -135,6 +135,8 @@ Topics:
135135
File: cloud-experts-dynamic-certificate-custom-domain
136136
- Name: Assigning consistent egress IP for external traffic
137137
File: cloud-experts-consistent-egress-ip
138+
- Name: Updating component routes with custom domains and TLS certificates
139+
File: cloud-experts-update-component-routes
138140
- Name: Getting started with ROSA
139141
Dir: cloud-experts-getting-started
140142
Distros: openshift-rosa
Lines changed: 252 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,252 @@
1+
:_mod-docs-content-type: ASSEMBLY
2+
[id="cloud-experts-update-component-routes"]
3+
= Tutorial: Updating component routes with custom domains and TLS certificates
4+
include::_attributes/attributes-openshift-dedicated.adoc[]
5+
:context: cloud-experts-update-component-routes
6+
7+
toc::[]
8+
9+
:fn-supported-versions: footnote:[Modifying these routes on {product-title} ROSA versions prior to 4.14 is not typically supported. However, if you have a cluster using version 4.13, you can request for Red Hat Support to enable support for this feature on your version 4.13 cluster by link:https://access.redhat.com/support/cases/new[opening a support case].]
10+
:fn-term-component-routes: footnote:[We use the term "component routes" to refer to the OAuth, Console, and Downloads routes that are provided when ROSA are first installed.]
11+
12+
//Article text
13+
This guide demonstrates how to modify the hostname and TLS certificate of the Web console, OAuth server, and Downloads component routes in {product-title} (ROSA) version 4.14 and above.{fn-supported-versions}
14+
15+
The changes that we make to the component routes{fn-term-component-routes} in this guide are described in greater detail in the customizing the link:https://docs.openshift.com/container-platform/latest/authentication/configuring-internal-oauth.html#customizing-the-oauth-server-url_configuring-internal-oauth[internal OAuth server URL], link:https://docs.openshift.com/container-platform/latest/web_console/customizing-the-web-console.html#customizing-the-console-route_customizing-web-console[console route], and link:https://docs.openshift.com/container-platform/latest/web_console/customizing-the-web-console.html#customizing-the-download-route_customizing-web-console[download route] OpenShift Container Platform documentation.
16+
17+
[id="prerequisites_{context}"]
18+
== Prerequisites
19+
* ROSA CLI (`rosa`) version 1.2.37 or higher
20+
* AWS CLI (`aws`)
21+
* A ROSA cluster
22+
* OpenShift CLI (`oc`)
23+
* `jq` CLI
24+
* Access to the cluster as a user with the `cluster-admin` role.
25+
* OpenSSL (for generating the demonstration SSL/TLS certificates)
26+
27+
[id="environment-setup_{context}"]
28+
== Setting up your environment
29+
30+
. Log in to your cluster using an account with `cluster-admin` privileges.
31+
+
32+
. Configure an environment variable for your cluster name:
33+
+
34+
[source,terminal]
35+
----
36+
$ export CLUSTER_NAME=$(oc get infrastructure cluster -o=jsonpath="{.status.infrastructureName}" | sed 's/-[a-z0-9]\{5\}$//')
37+
----
38+
39+
. Ensure all fields output correctly before moving to the next section:
40+
+
41+
[source,terminal]
42+
----
43+
$ echo "Cluster: ${CLUSTER_NAME}"
44+
----
45+
+
46+
.Example output
47+
+
48+
[source,text]
49+
----
50+
Cluster: my-rosa-cluster
51+
----
52+
53+
[id="find-current-component-routes_{context}"]
54+
== Find the current routes
55+
56+
. Verify that you can reach the component routes on their default hostnames.
57+
+
58+
You can find the hostnames by querying the lists of routes in the `openshift-console` and `openshift-authentication` projects.
59+
+
60+
[source,bash]
61+
----
62+
$ oc get routes -n openshift-console
63+
$ oc get routes -n openshift-authentication
64+
----
65+
+
66+
.Example output
67+
+
68+
[source,text]
69+
----
70+
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
71+
console console-openshift-console.apps.my-example-cluster-aws.z9a9.p1.openshiftapps.com ... 1 more console https reencrypt/Redirect None
72+
downloads downloads-openshift-console.apps.my-example-cluster-aws.z9a9.p1.openshiftapps.com ... 1 more downloads http edge/Redirect None
73+
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
74+
oauth-openshift oauth-openshift.apps.my-example-cluster-aws.z9a9.p1.openshiftapps.com ... 1 more oauth-openshift 6443 passthrough/Redirect None
75+
----
76+
+
77+
From this output you can see that our base hostname is `z9a9.p1.openshiftapps.com`.
78+
+
79+
. Get the ID of the default ingress by running the following command:
80+
+
81+
[source,bash]
82+
----
83+
$ export INGRESS_ID=$(rosa list ingress -c ${CLUSTER_NAME} -o json | jq -r '.[] | select(.default == true) | .id')
84+
----
85+
+
86+
. Ensure all fields output correctly before moving to the next section:
87+
+
88+
[source,terminal]
89+
----
90+
$ echo "Ingress ID: ${INGRESS_ID}"
91+
----
92+
+
93+
.Example output
94+
+
95+
[source,text]
96+
----
97+
Ingress ID: r3l6
98+
----
99+
+
100+
By running these commands you can see that the default component routes for our cluster are:
101+
102+
* `console-openshift-console.apps.my-example-cluster-aws.z9a9.p1.openshiftapps.com` for Console
103+
* `downloads-openshift-console.apps.my-example-cluster-aws.z9a9.p1.openshiftapps.com` for Downloads
104+
* `oauth-openshift.apps.my-example-cluster-aws.z9a9.p1.openshiftapps.com` for OAuth
105+
106+
We can use the `rosa edit ingress` command to change the hostname of each service and add a TLS certificate for all of our component routes. The relevant parameters are shown in this excerpt of the command line help for the `rosa edit ingress` command:
107+
108+
[source,bash]
109+
----
110+
$ rosa edit ingress -h
111+
Edit a cluster ingress for a cluster. Usage:
112+
rosa edit ingress ID [flags]
113+
[...]
114+
--component-routes string Component routes settings. Available keys [oauth, console, downloads]. For each key a pair of hostname and tlsSecretRef is expected to be supplied. Format should be a comma separate list 'oauth: hostname=example-hostname;tlsSecretRef=example-secret-ref,downloads:...'
115+
----
116+
117+
For this example, we'll use the following custom component routes:
118+
119+
* `console.my-new-domain.dev` for Console
120+
* `downloads.my-new-domain.dev` for Downloads
121+
* `oauth.my-new-domain.dev` for OAuth
122+
123+
[id="create-tls-certificates_{context}"]
124+
== Create a valid TLS certificate for each component route
125+
126+
In this section, we create three separate self-signed certificate key pairs and then trust them to verify that we can access our new component routes using a real web browser.
127+
128+
[WARNING]
129+
====
130+
This is for demonstration purposes only, and is not recommended as a solution for production workloads. Consult your certificate authority to understand how to create certificates with similar attributes for your production workloads.
131+
====
132+
133+
[IMPORTANT]
134+
====
135+
To prevent issues with HTTP/2 connection coalescing, you must use a separate individual certificate for each endpoint. Using a wildcard or SAN certificate is not supported.
136+
====
137+
138+
. Generate a certificate for each component route, taking care to set our certificate's subject (`-subj`) to the custom domain of the component route we want to use:
139+
+
140+
.Example
141+
+
142+
[source,bash]
143+
----
144+
$ openssl req -newkey rsa:2048 -new -nodes -x509 -days 365 -keyout key-console.pem -out cert-console.pem -subj "/CN=console.my-new-domain.dev"
145+
$ openssl req -newkey rsa:2048 -new -nodes -x509 -days 365 -keyout key-downloads.pem -out cert-downloads.pem -subj "/CN=downloads.my-new-domain.dev"
146+
$ openssl req -newkey rsa:2048 -new -nodes -x509 -days 365 -keyout key-oauth.pem -out cert-oauth.pem -subj "/CN=oauth.my-new-domain.dev"
147+
----
148+
+
149+
This generates three pairs of `.pem` files, `key-<component>.pem` and `cert-<component>.pem`.
150+
151+
[id="add-certificates-as-secrets_{context}"]
152+
== Add the certificates to the cluster as secrets
153+
154+
. Create three TLS secrets in the `openshift-config` namespace.
155+
+
156+
These become your secret reference when you update the component routes later in this guide.
157+
+
158+
[source,bash]
159+
----
160+
$ oc create secret tls console-tls --cert=cert-console.pem --key=key-console.pem -n openshift-config
161+
$ oc create secret tls downloads-tls --cert=cert-downloads.pem --key=key-downloads.pem -n openshift-config
162+
$ oc create secret tls oauth-tls --cert=cert-oauth.pem --key=key-oauth.pem -n openshift-config
163+
----
164+
165+
[id="find-lb-hostname_{context}"]
166+
== Find the hostname of the load balancer in your cluster
167+
168+
When you create a cluster, the service creates a load balancer and generates a hostname for that load balancer. We need to know the load balancer hostname in order to create DNS records for our cluster.
169+
170+
You can find the hostname by running the `oc get svc` command against the `openshift-ingress` namespace. The hostname of the load balancer is the `EXTERNAL-IP` associated with the `router-default` service in the `openshift-ingress` namespace.
171+
172+
[source,bash]
173+
----
174+
$ oc get svc -n openshift-ingress
175+
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
176+
router-default LoadBalancer 172.30.237.88 a234gsr3242rsfsfs-1342r624.us-east-1.elb.amazonaws.com 80:31175/TCP,443:31554/TCP 76d
177+
----
178+
179+
In our case, the hostname is `a234gsr3242rsfsfs-1342r624.us-east-1.elb.amazonaws.com`.
180+
181+
Save this value for later, as we will need it to configure DNS records for our new component route hostnames.
182+
183+
[id="add-component-routes-to-dns_{context}"]
184+
== Add component route DNS records to your hosting provider
185+
186+
In your hosting provider, add DNS records that map the `CNAME` of your new component route hostnames to the load balancer hostname we found in the previous step.
187+
188+
//.Need an image for this
189+
//image::[Picture goes here]
190+
191+
[id="update-component-routes-tls-using-rosa-cli_{context}"]
192+
== Update the component routes and TLS secret using the ROSA CLI
193+
194+
When your DNS records have been updated, you can use the ROSA CLI to change the component routes.
195+
196+
. Use the `rosa edit ingress` command to update your default ingress route with the new base domain and the secret reference associated with it, taking care to update the hostnames for each component route.
197+
+
198+
[source,bash]
199+
----
200+
$ rosa edit ingress -c ${CLUSTER_NAME} ${INGRESS_ID} --component-routes 'console: hostname=console.my-new-domain.dev;tlsSecretRef=console-tls,downloads: hostname=downloads.my-new-domain.dev;tlsSecretRef=downloads-tls,oauth: hostname=oauth.my-new-domain.dev;tlsSecretRef=oauth-tls'
201+
----
202+
+
203+
[NOTE]
204+
====
205+
You can also edit only a subset of the component routes by leaving the component routes you do not want to change set to an empty string. For example, if you only want to change the Console and OAuth server hostnames and TLS certificates, you would run the following command:
206+
[source,bash]
207+
----
208+
$ rosa edit ingress -c ${CLUSTER_NAME} ${INGRESS_ID} --component-routes 'console: hostname=console.my-new-domain.dev;tlsSecretRef=console-tls,downloads: hostname="";tlsSecretRef="", oauth: hostname=oauth.my-new-domain.dev;tlsSecretRef=oauth-tls'
209+
----
210+
====
211+
+
212+
. Run the `rosa list ingress` command to verify that your changes were successfully made:
213+
+
214+
[source,bash]
215+
----
216+
$ rosa list ingress -c ${CLUSTER_NAME} -ojson | jq ".[] | select(.id == \"${INGRESS_ID}\") | .component_routes"
217+
----
218+
+
219+
.Example output
220+
+
221+
[source,text]
222+
----
223+
{
224+
"console": {
225+
"kind": "ComponentRoute",
226+
"hostname": "console.my-new-domain.dev",
227+
"tls_secret_ref": "console-tls"
228+
},
229+
"downloads": {
230+
"kind": "ComponentRoute",
231+
"hostname": "downloads.my-new-domain.dev",
232+
"tls_secret_ref": "downloads-tls"
233+
},
234+
"oauth": {
235+
"kind": "ComponentRoute",
236+
"hostname": "oauth.my-new-domain.dev",
237+
"tls_secret_ref": "oauth-tls"
238+
}
239+
}
240+
----
241+
+
242+
. Add your certificate to the truststore on your local system, then confirm that you can access your components at their new routes using your local web browser.
243+
244+
[id="reset-component-routes-to-default_{context}"]
245+
== Reset the component routes to the default using the ROSA CLI
246+
247+
If you want to reset the component routes to the default configuration, run the following `rosa edit ingress` command:
248+
249+
[source,bash]
250+
----
251+
$ rosa edit ingress -c ${CLUSTER_NAME} ${INGRESS_ID} --component-routes 'console: hostname="";tlsSecretRef="",downloads: hostname="";tlsSecretRef="", oauth: hostname="";tlsSecretRef=""'
252+
----

0 commit comments

Comments
 (0)