Skip to content

OpenShift 4: Custom API URL Endpoint


On top of the standard api.<cluster_name>.<subdomain> as external API endpoint, we are going to serve this endpoint using custom URL as below:

  • Custom API Endpoint:
  • A certificate signed with SAN for

Refer to this article here if you want to have your own custom root CA.


  1. Configure your load balancer and DNS to ensure “” will reach all masters node.
[[email protected] ~]# nslookup


[[email protected] ~]# nslookup


[[email protected] ~]# 

2. Create a TLS secret to host new hostname as the servingCertificate:

#> ls -lrt
total 16
-rwxrwxr-x. 1 mzali mzali  472 Mar 10 15:59
-rw-------. 1 mzali mzali 1679 Mar 10 16:00 api-ext.key
-rw-rw-r--. 1 mzali mzali 1115 Mar 10 16:00 api-ext.csr
-rw-rw-r--. 1 mzali mzali 1679 Mar 10 16:04 api-ext.crt

#> oc create secret tls api-cert --cert=api-ext.crt --key=api-ext.key -n openshift-config

3. Now patch the apiserver CR for new configuration to take effects:

# oc patch apiserver cluster \
     --type=merge -p \
     '{"spec":{"servingCerts": {"namedCertificates":
     [{"names": [""],
     "servingCertificate": {"name": "api-cert"}}]}}}'

4. Pods will restarting for new config to get in.

5. Finally , we can authenticate using custom URL:

#> curl -kv
*   Trying
###### TRUNCATED #####
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=MY; ST=Selangor; L=Sepang; O=Red Hat;
*  start date: Mar 10 08:04:06 2020 GMT
*  expire date: Aug  4 08:04:06 2021 GMT
*  issuer: C=MY; ST=Selangor; L=Sepang; O=Red Hat; OU=GPS; [email protected]
*  SSL certificate verify ok.
###### TRUNCATED #####
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {
  "code": 403
* Connection #0 to host left intact

#> oc login -u mzali
Authentication required for (openshift)
Username: mzali
Login successful.

You have access to 53 projects, the list has been suppressed. You can list all projects with 'oc projects'

Using project "default".
#> oc config get-contexts 
CURRENT   NAME                                                             CLUSTER                           AUTHINFO                                NAMESPACE 
*         default/api-ext-local-bytewise-my:6443/mzali                     api-ext-local-bytewise-my:6443    


While the default external API is sufficient, some user wanted this to be customized to suite their needs. This article shown the feasibility to use those configurations.

Disclaimer: The views expressed and the content shared are those of the author and do not reflect the views of the author's employer or techbeatly platform.

Red Hat ASEAN Senior Platform Consultant. Kubernetes, OpenShift and DevSecOps evangelist.


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.