OpenShift 4: Custom API URL Endpoint
- OpenShift 4: Query Prometheus API for Firing Alert - November 4, 2020
- OpenShift 4.5 KNI Labs (Step-by-step) - October 14, 2020
- OpenShift 4.5 : NooBaa S3 Bucket for internal image registry - September 9, 2020

Objective
On top of the standard api.<cluster_name>.<subdomain> as external API endpoint, we are going to serve this endpoint using custom URL as below:
- Custom API Endpoint: https://console.local.bytewise.my:6443
- A certificate signed with SAN for console.local.bytewise.my
Refer to this article here if you want to have your own custom root CA.
Steps
- Configure your load balancer and DNS to ensure “console.local.bytewise.my” will reach all masters node.
[[email protected] ~]# nslookup console.local.bytewise.my
Server: 192.168.50.254
Address: 192.168.50.254#53
Name: console.local.bytewise.my
Address: 192.168.50.10
[[email protected] ~]# nslookup api.ocp4.local.bytewise.my
Server: 192.168.50.254
Address: 192.168.50.254#53
Name: api.ocp4.local.bytewise.my
Address: 192.168.50.10
[[email protected] ~]#
2. Create a TLS secret to host new hostname as the servingCertificate:
#> ls -lrt
total 16
-rwxrwxr-x. 1 mzali mzali 472 Mar 10 15:59 console.local.bytewise.my.cnf
-rw-------. 1 mzali mzali 1679 Mar 10 16:00 console.key
-rw-rw-r--. 1 mzali mzali 1115 Mar 10 16:00 console.csr
-rw-rw-r--. 1 mzali mzali 1679 Mar 10 16:04 console.crt
#> oc create secret tls api-cert --cert=console.crt --key=console.key -n openshift-config
3. Now patch the apiserver CR for new configuration to take effects:
# oc patch apiserver cluster \
--type=merge -p \
'{"spec":{"servingCerts": {"namedCertificates":
[{"names": ["console.local.bytewise.my"],
"servingCertificate": {"name": "api-cert"}}]}}}'
4. Pods will restarting for new config to get in.
5. Finally , we can authenticate using custom URL:
#> curl -kv https://console.local.bytewise.my:6443
* Trying 192.168.50.10:6443...
###### TRUNCATED #####
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=MY; ST=Selangor; L=Sepang; O=Red Hat; CN=console.local.bytewise.my
* start date: Mar 10 08:04:06 2020 GMT
* expire date: Aug 4 08:04:06 2021 GMT
* issuer: C=MY; ST=Selangor; L=Sepang; O=Red Hat; OU=GPS; [email protected]
* SSL certificate verify ok.
###### TRUNCATED #####
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
"reason": "Forbidden",
"details": {
},
"code": 403
* Connection #0 to host console.local.bytewise.my left intact
}
#> oc login -u mzali https://console.local.bytewise.my:6443
Authentication required for https://console.local.bytewise.my:6443 (openshift)
Username: mzali
Password:
Login successful.
You have access to 53 projects, the list has been suppressed. You can list all projects with 'oc projects'
Using project "default".
#> oc config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* default/console-local-bytewise-my:6443/mzali console-local-bytewise-my:6443
Summary
While the default external API is sufficient, some user wanted this to be customized to suite their needs. This article shown the feasibility to use those configurations.