OpenShift 4 New URL for Console and Monitoring WEB UI

about this Article

In some cases we would like to provide a better looking URL for our console and monitoring stack other then our build-in routes which are been provided during the installation without reinstalling the cluster.

When you want your client to access the OpenShift console through an elegant URL rather then console-openshift-console.app.<your cluster>.<your domain> you can now do it by edit the console operator object. In regards to the monitoring stack the process is a bit more complex but not that hard.

Tutorial.

In our tutorial we will change our console to URL to openshift.example.com and our monitor stack to *.monitor.example.com (we will take the grafana route as our example)

Console URL

Changing the console URL is the easy part , all we need to is to update the console operator and add TLS certificate (the assumption is that we are going to use a different domain).

Create a Directory that will store all the TLS files :

# mkdir ~/TLS && cd ~/TLS/

First we would want to create the TLS certificate and key for our new URL so let’s start with a simple OpenSSL answer file :

# export DOMAIN="example.local"
# export SHORT_NAME="console"

And then create the file :

# cat > ${SHORT_NAME}_answer.txt << EOF[req]
default_bits = 4096
prompt = no
default_md = sha256
x509_extensions = req_ext
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=US
ST=New York
L=New York
O=MyOrg
OU=MyOrgUnit
emailAddress=me@working.me
CN = ${SHORT_NAME}
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = ${SHORT_NAME}
DNS.2 = ${SHORT_NAME}.${DOMAIN}
EOF

Now let’s create the tls.key

# openssl genrsa -out ${SHORT_NAME}.key 4096

Now we will generate the certificate request using the domain Key and the domain answer file which we created in the beginning of the this tutorial.

$ openssl req -new -key ${SHORT_NAME}.key -out ${SHORT_NAME}.csr -config <( cat ${SHORT_NAME}_answer.txt )

It is a very good practice at this point to Test the CSR for DNS alternative names :

$ openssl req -in ${SHORT_NAME}.csr -noout -text | grep DNS

The output should be :

              DNS:console, DNS:console.example.local

If you received the output as in the example you are good to go.

Now you need to sign the certificate with your Organization CA (if you want to setup your own CA you see how in my OpenSSL and DNS Alter Name tutorial).

NOTE!!
In the tutorial we are assuming that the certificate filename is “tls.crt”

Now we should 4 files… A key , A certificate , A certificate request and a CA file ( the CA and the certificate is what we should receive from our Organization CA).
Before we continue it is good practive to test the certificate and make sure everything is correlated.

Now all that is left to do is to test our certificate :

$ openssl x509 -in tls.crt -noout -text | grep DNS
DNS:registry, DNS:registry.example.local

And if we want to make sure the ca.crt is the signer of the certificate we can test it with the “verify” arguments:

$ openssl verify -CAfile ca.crt tls.crt
tls.crt: OK

If your output is the same as the example you done everything right!!

In order for our new console to work with our newly create TLS file we need to create a secret under the openshift-config namespace and should be a secret of type “TLS”.

# oc create secret tls console-tls --cert=~/TLS/tls.crt --key=~/TLS/tls.key -n openshift-config

Now that we have a secret we go ahead and update the Ingress configuration.

Here is an example of our YAML file :

# cat > ingress-console.yaml << EOF
apiVersion: config.openshift.io/v1
kind: Ingress
metadata:
name: cluster
spec:
componentRoutes:
- name: console
namespace: openshift-console
hostname: ${SHORT_NAME}.${DOMAIN}
servingCertKeyPairSecret:
name: console-tls
EOF

And Let’s Apply it :

# oc apply -f ingress-console.yaml

Noe your new console URL is: https://${SHORT_NAME}.${DOMAIN}

Monitoring URL

It is very important to mentioned that the next step is NOT SUPPORTED and should be done only if it absolutely necessary for your environment , if it’s not then don’t change the monitor URL.
If you do need to change it for some highly important reason (I haven’t encountered one) then here are the steps.

We will take the grafana URL as an example but you will need to run it for all the monitoring URLs.

First Go back over the TLS steps for your new grafana URL so you will end up with the tls.crt and the tls.key files.

Next create a secret for the new route under the openshift-monitoring namespace :

# oc create secret tls grafana-tls --cert=~/TLS/tls.crt --key=~/TLS/tls.key -n openshift-monitoring 

Now we will create the new route with our new TLS :

# oc create route new-grafana reencrypt --service=grafana --cert=./tls.crt --key=./tls.key --insecure-policy=Redirect --hostname=grafana.example.com

Now here is where the uniqueness comes into action.
For each service which is running there is their own service account. under that service account their is an annotation for which URL to correspond with.

For our example you can see the annotation of the grafana service account :

# oc get sa grafana -n openshift-monitoring -o jsonpath='{.metadata.annotations}'

and the output is :

{
"serviceaccounts.openshift.io/oauth-redirectreference.grafana": "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"grafana\"}}"
}

All we need to do is to change the Route name from “grafana” to “new-grafana” and we are good to go.
use the edit command to do so :

# oc edit sa grafana -n openshift-monitoring

Once you changed it the new output should look as follow :

{
"serviceaccounts.openshift.io/oauth-redirectreference.grafana": "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"new-grafana\"}}"
}

Now go over the same procedure for the rest of the URLs

That is it !!!

If you have any question feel free to responed/ leave a comment.
You can find on linkedin at : https://www.linkedin.com/in/orenoichman
Or twitter at : https://twitter.com/ooichman

Open Source contributer for the past 15 years