OpenShift 4 route with TLS secret and Cert Utils Operator

TLS and Secrets

In Today modern world running application without TLS is on the verge of forbidden. All web application must run their front end with some time of TLS termination. Running Web application on OpenShift is no different and on OpenShift we have several options.

TLS Termination

When Running Application on top of OpenShift we are being provided with several option of running the application with TLS.
The first option is writing the application which uses the TLS library and start the session with the TLS certificates.
The second option is implementing an external load balancer which enables TLS termination. That will create a traffic which is secure between the customer and the Load Balancer but between the Load Balancer and OpenShift all the communication will be clear text.
the third option (which is our subject today) is to creating an OpenShift route that implements TLS termination.

What’s has changed ?

Until now we’ve created a route and added the Certificate + key (and the CA) in a clear text why to the route resource. Today we are going to see another way which is to create a secret and have that attached to the route automatically instead of adding it in clear text.

Why ?

By using the secret method we can protect our secret and key for example in our GIT repository when we store our route in a declarative manner by just stating the secret reference instead of providing the full certificate. more so we can create an automatic certificate rotation (for example in a letsencrypt scenario when we need a new certificate every 3 month) by just updating the secret and the route will be update automatically.
The way we implement this process is by adding a community version operator of the “Cert Util Operator” which takes care of the process for us.

Steps …

First the hole process is based on the cert util operator so we need to deploy it. In Openshift we will use OLM and deploy it from the operatorHUB.

First let’s create a new namespace :

Prometheus compatible metrics are exposed by the Operator and can be integrated into OpenShift’s default cluster monitoring. To enable OpenShift cluster monitoring, label the namespace the operator is deployed in with the label openshift.io/cluster-monitoring="true"

To deploy the operator we will need to create the following file :

Now let’s deploy the subscription :

This will create the appropriate OperatorGroup and Subscription and will trigger OLM to launch the operator in the specified namespace.

First we need to create a secret in “tls” type. This document already assume that you have created a certificate request and key , signed the certificate with your Organization CA and obtain the certificate.

Now let’s create the route to a YAML file:

Now let’s edit our newly created file. for edit the YAML file we can use a tool named yq and there is an image we can use (or just download the binary).

To download yq you can visit the link here . or build a container image with the yq binary.

in order to build the image all we need is to create the following Containerfile which will download the yq command and add it to a UBI8 minimal image :

And build the image :

For using the image we need to add the following function to our .bashrc file :

note!
If you are in a disconnected environment I strongly recommend download the binary/image to your environment.This tool is useful for many thinks (A relevant tutorial will be provided in the future).

And source the file :

Now we can use the yq command to add the annotation to the route file :

And Apply our newly created file :

From this point and forward every time we will update the secret the the route will get updated.

We can view our new route with TLS with the following command :

That’s it.

If you have any question feel free to responed/ leave a comment.
You can find on linkedin at : https://www.linkedin.com/in/orenoichman
Or twitter at : https://twitter.com/ooichman

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store