Aug 11, 2021
OpenShift 4 New URL for Console and Monitoring WEB UI
about this Article
In some cases we would like to provide a better looking URL for our console and monitoring stack other then our build-in routes which are been provided during the installation without reinstalling the cluster.
When you want your client to access the OpenShift console through an elegant URL rather then console-openshift-console.app.<your cluster>.<your domain> you can now do it by edit the console operator object. In regards to the monitoring stack the process is a bit more complex but not that hard.
Tutorial.
In our tutorial we will change our console to URL to openshift.example.com and our monitor stack to *.monitor.example.com (we will take the grafana route as our example)
Console URL
Changing the console URL is the easy part , all we need to is to update the console operator and add TLS certificate (the assumption is that we are going to use a different domain).
TLS
Create a Directory that will store all the TLS files :
# mkdir ~/TLS && cd ~/TLS/First we would want to create the TLS certificate and key for our new URL so let’s start with a simple OpenSSL answer file :
# export DOMAIN="example.local"
# export SHORT_NAME="console"And then create the file :
# cat > ${SHORT_NAME}_answer.txt << EOF[req]
default_bits = 4096
prompt = no
default_md = sha256
x509_extensions = req_ext
req_extensions = req_ext
distinguished_name = dn[ dn ]
C=US
ST=New York
L=New York
O=MyOrg
OU=MyOrgUnit
emailAddress=me@working.me
CN = ${SHORT_NAME}[ req_ext ]
subjectAltName = @alt_names[ alt_names ]
DNS.1 = ${SHORT_NAME}
DNS.2 = ${SHORT_NAME}.${DOMAIN}
EOF
Now let’s create the tls.key
# openssl genrsa -out ${SHORT_NAME}.key 4096Generate Server CSR
Now we will generate the certificate request using the domain Key and the domain answer file which we created in the beginning of the this tutorial.
$ openssl req -new -key ${SHORT_NAME}.key -out ${SHORT_NAME}.csr -config <( cat ${SHORT_NAME}_answer.txt )It is a very good practice at this point to Test the CSR for DNS alternative names :
$ openssl req -in ${SHORT_NAME}.csr -noout -text | grep DNSThe output should be :
DNS:console, DNS:console.example.localIf you received the output as in the example you are good to go.
Now you need to sign the certificate with your Organization CA (if you want to setup your own CA you see how in my OpenSSL and DNS Alter Name tutorial).
NOTE!!
In the tutorial we are assuming that the certificate filename is “tls.crt”
Now we should 4 files… A key , A certificate , A certificate request and a CA file ( the CA and the certificate is what we should receive from our Organization CA).
Before we continue it is good practive to test the certificate and make sure everything is correlated.
Testing the Certificate
Now all that is left to do is to test our certificate :
$ openssl x509 -in tls.crt -noout -text | grep DNS
DNS:registry, DNS:registry.example.localAnd if we want to make sure the ca.crt is the signer of the certificate we can test it with the “verify” arguments:
$ openssl verify -CAfile ca.crt tls.crt
tls.crt: OKIf your output is the same as the example you done everything right!!
secret
In order for our new console to work with our newly create TLS file we need to create a secret under the openshift-config namespace and should be a secret of type “TLS”.
# oc create secret tls console-tls --cert=~/TLS/tls.crt --key=~/TLS/tls.key -n openshift-confignew URL
Now that we have a secret we go ahead and update the Ingress configuration.
Here is an example of our YAML file :
# cat > ingress-console.yaml << EOF
apiVersion: config.openshift.io/v1
kind: Ingress
metadata:
name: cluster
spec:
componentRoutes:
- name: console
namespace: openshift-console
hostname: ${SHORT_NAME}.${DOMAIN}
servingCertKeyPairSecret:
name: console-tls
EOFAnd Let’s Apply it :
# oc apply -f ingress-console.yamlNoe your new console URL is: https://${SHORT_NAME}.${DOMAIN}
Monitoring URL
It is very important to mentioned that the next step is NOT SUPPORTED and should be done only if it absolutely necessary for your environment , if it’s not then don’t change the monitor URL.
If you do need to change it for some highly important reason (I haven’t encountered one) then here are the steps.
We will take the grafana URL as an example but you will need to run it for all the monitoring URLs.
First Go back over the TLS steps for your new grafana URL so you will end up with the tls.crt and the tls.key files.
Next create a secret for the new route under the openshift-monitoring namespace :
# oc create secret tls grafana-tls --cert=~/TLS/tls.crt --key=~/TLS/tls.key -n openshift-monitoring Now we will create the new route with our new TLS :
# oc create route new-grafana reencrypt --service=grafana --cert=./tls.crt --key=./tls.key --insecure-policy=Redirect --hostname=grafana.example.comNow here is where the uniqueness comes into action.
For each service which is running there is their own service account. under that service account their is an annotation for which URL to correspond with.
For our example you can see the annotation of the grafana service account :
# oc get sa grafana -n openshift-monitoring -o jsonpath='{.metadata.annotations}'and the output is :
{
"serviceaccounts.openshift.io/oauth-redirectreference.grafana": "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"grafana\"}}"
}All we need to do is to change the Route name from “grafana” to “new-grafana” and we are good to go.
use the edit command to do so :
# oc edit sa grafana -n openshift-monitoringOnce you changed it the new output should look as follow :
{
"serviceaccounts.openshift.io/oauth-redirectreference.grafana": "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"new-grafana\"}}"
}Now go over the same procedure for the rest of the URLs
That is it !!!
If you have any question feel free to responed/ leave a comment.
You can find on linkedin at : https://www.linkedin.com/in/orenoichman
Or twitter at : https://twitter.com/ooichman
