OpenShift 4: Custom API URL Endpoint

https://unsplash.com/@pankajpatel

Objective

On top of the standard api.<cluster_name>.<subdomain> as external API endpoint, we are going to serve this endpoint using custom URL as below:

  • Custom API Endpoint: https://console.local.bytewise.my:6443
  • A certificate signed with SAN for console.local.bytewise.my

Refer to this article here if you want to have your own custom root CA.

Steps

  1. Configure your load balancer and DNS to ensure “console.local.bytewise.my” will reach all masters node.
[[email protected] ~]# nslookup console.local.bytewise.my
Server:		192.168.50.254
Address:	192.168.50.254#53

Name:	console.local.bytewise.my
Address: 192.168.50.10

[[email protected] ~]# nslookup api.ocp4.local.bytewise.my
Server:		192.168.50.254
Address:	192.168.50.254#53

Name:	api.ocp4.local.bytewise.my
Address: 192.168.50.10

[[email protected] ~]# 

2. Create a TLS secret to host new hostname as the servingCertificate:

#> ls -lrt
total 16
-rwxrwxr-x. 1 mzali mzali  472 Mar 10 15:59 console.local.bytewise.my.cnf
-rw-------. 1 mzali mzali 1679 Mar 10 16:00 console.key
-rw-rw-r--. 1 mzali mzali 1115 Mar 10 16:00 console.csr
-rw-rw-r--. 1 mzali mzali 1679 Mar 10 16:04 console.crt

#> oc create secret tls api-cert --cert=console.crt --key=console.key -n openshift-config

3. Now patch the apiserver CR for new configuration to take effects:

# oc patch apiserver cluster \
     --type=merge -p \
     '{"spec":{"servingCerts": {"namedCertificates":
     [{"names": ["console.local.bytewise.my"],
     "servingCertificate": {"name": "api-cert"}}]}}}'

4. Pods will restarting for new config to get in.

5. Finally , we can authenticate using custom URL:

#> curl -kv https://console.local.bytewise.my:6443
*   Trying 192.168.50.10:6443...
###### TRUNCATED #####
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=MY; ST=Selangor; L=Sepang; O=Red Hat; CN=console.local.bytewise.my
*  start date: Mar 10 08:04:06 2020 GMT
*  expire date: Aug  4 08:04:06 2021 GMT
*  issuer: C=MY; ST=Selangor; L=Sepang; O=Red Hat; OU=GPS; [email protected]
*  SSL certificate verify ok.
###### TRUNCATED #####
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {
    
  },
  "code": 403
* Connection #0 to host console.local.bytewise.my left intact
}


#> oc login -u mzali https://console.local.bytewise.my:6443
Authentication required for https://console.local.bytewise.my:6443 (openshift)
Username: mzali
Password: 
Login successful.

You have access to 53 projects, the list has been suppressed. You can list all projects with 'oc projects'

Using project "default".
#> oc config get-contexts 
CURRENT   NAME                                                             CLUSTER                           AUTHINFO                                NAMESPACE 
*         default/console-local-bytewise-my:6443/mzali                     console-local-bytewise-my:6443    

Summary

While the default external API is sufficient, some user wanted this to be customized to suite their needs. This article shown the feasibility to use those configurations.

Muhammad Aizuddin Zali

Red Hat APAC-SEATH Senior Platform Consultant for OpenShift.

You may also like...

%d bloggers like this: