OpenShift 4: Custom API URL Endpoint

by Muhammad Aizuddin Zali · Published March 10, 2020 · Updated March 11, 2020

Author
Recent Posts

Muhammad Aizuddin Zali

Senior Platform Consultant at Red Hat

Red Hat APAC-SEATH Senior Platform Consultant for OpenShift.

Latest posts by Muhammad Aizuddin Zali (see all)

OpenShift 4: Query Prometheus API for Firing Alert - November 4, 2020
OpenShift 4.5 KNI Labs (Step-by-step) - October 14, 2020
OpenShift 4.5 : NooBaa S3 Bucket for internal image registry - September 9, 2020

Objective

On top of the standard api.<cluster_name>.<subdomain> as external API endpoint, we are going to serve this endpoint using custom URL as below:

Custom API Endpoint: https://console.local.bytewise.my:6443
A certificate signed with SAN for console.local.bytewise.my

Refer to this article here if you want to have your own custom root CA.

Steps

Configure your load balancer and DNS to ensure “console.local.bytewise.my” will reach all masters node.

[[email protected] ~]# nslookup console.local.bytewise.my
Server:		192.168.50.254
Address:	192.168.50.254#53

Name:	console.local.bytewise.my
Address: 192.168.50.10

[[email protected] ~]# nslookup api.ocp4.local.bytewise.my
Server:		192.168.50.254
Address:	192.168.50.254#53

Name:	api.ocp4.local.bytewise.my
Address: 192.168.50.10

[[email protected] ~]#

2. Create a TLS secret to host new hostname as the servingCertificate:

#> ls -lrt
total 16
-rwxrwxr-x. 1 mzali mzali  472 Mar 10 15:59 console.local.bytewise.my.cnf
-rw-------. 1 mzali mzali 1679 Mar 10 16:00 console.key
-rw-rw-r--. 1 mzali mzali 1115 Mar 10 16:00 console.csr
-rw-rw-r--. 1 mzali mzali 1679 Mar 10 16:04 console.crt

#> oc create secret tls api-cert --cert=console.crt --key=console.key -n openshift-config

3. Now patch the apiserver CR for new configuration to take effects:

# oc patch apiserver cluster \
     --type=merge -p \
     '{"spec":{"servingCerts": {"namedCertificates":
     [{"names": ["console.local.bytewise.my"],
     "servingCertificate": {"name": "api-cert"}}]}}}'

4. Pods will restarting for new config to get in.

5. Finally , we can authenticate using custom URL:

#> curl -kv https://console.local.bytewise.my:6443
*   Trying 192.168.50.10:6443...
###### TRUNCATED #####
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=MY; ST=Selangor; L=Sepang; O=Red Hat; CN=console.local.bytewise.my
*  start date: Mar 10 08:04:06 2020 GMT
*  expire date: Aug  4 08:04:06 2021 GMT
*  issuer: C=MY; ST=Selangor; L=Sepang; O=Red Hat; OU=GPS; [email protected]
*  SSL certificate verify ok.
###### TRUNCATED #####
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {
    
  },
  "code": 403
* Connection #0 to host console.local.bytewise.my left intact
}


#> oc login -u mzali https://console.local.bytewise.my:6443
Authentication required for https://console.local.bytewise.my:6443 (openshift)
Username: mzali
Password: 
Login successful.

You have access to 53 projects, the list has been suppressed. You can list all projects with 'oc projects'

Using project "default".
#> oc config get-contexts 
CURRENT   NAME                                                             CLUSTER                           AUTHINFO                                NAMESPACE 
*         default/console-local-bytewise-my:6443/mzali                     console-local-bytewise-my:6443

Summary

While the default external API is sufficient, some user wanted this to be customized to suite their needs. This article shown the feasibility to use those configurations.