Skip to content

OpenShift 4: Custom API URL Endpoint

Avatar photo


On top of the standard api.<cluster_name>.<subdomain> as external API endpoint, we are going to serve this endpoint using custom URL as below:

  • Custom API Endpoint: #
  • A certificate signed with SAN for

Refer to this article here if you want to have your own custom root CA.


  1. Configure your load balancer and DNS to ensure “” will reach all masters node.
[root@bastion ~]# nslookup


[root@bastion ~]# nslookup


[root@bastion ~]# 

2. Create a TLS secret to host new hostname as the servingCertificate:

#> ls -lrt
total 16
-rwxrwxr-x. 1 mzali mzali  472 Mar 10 15:59
-rw-------. 1 mzali mzali 1679 Mar 10 16:00 api-ext.key
-rw-rw-r--. 1 mzali mzali 1115 Mar 10 16:00 api-ext.csr
-rw-rw-r--. 1 mzali mzali 1679 Mar 10 16:04 api-ext.crt

#> oc create secret tls api-cert --cert=api-ext.crt --key=api-ext.key -n openshift-config

3. Now patch the apiserver CR for new configuration to take effects:

# oc patch apiserver cluster \
     --type=merge -p \
     '{"spec":{"servingCerts": {"namedCertificates":
     [{"names": [""],
     "servingCertificate": {"name": "api-cert"}}]}}}'

4. Pods will restarting for new config to get in.

5. Finally , we can authenticate using custom URL:

#> curl -kv #
*   Trying
###### TRUNCATED #####
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=MY; ST=Selangor; L=Sepang; O=Red Hat;
*  start date: Mar 10 08:04:06 2020 GMT
*  expire date: Aug  4 08:04:06 2021 GMT
*  issuer: C=MY; ST=Selangor; L=Sepang; O=Red Hat; OU=GPS; [email protected]
*  SSL certificate verify ok.
###### TRUNCATED #####
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {
  "code": 403
* Connection #0 to host left intact

#> oc login -u mzali #
Authentication required for # (openshift)
Username: mzali
Login successful.

You have access to 53 projects, the list has been suppressed. You can list all projects with 'oc projects'

Using project "default".
#> oc config get-contexts 
CURRENT   NAME                                                             CLUSTER                           AUTHINFO                                NAMESPACE 
*         default/api-ext-local-bytewise-my:6443/mzali                     api-ext-local-bytewise-my:6443    


While the default external API is sufficient, some user wanted this to be customized to suite their needs. This article shown the feasibility to use those configurations.


The views expressed and the content shared in all published articles on this website are solely those of the respective authors, and they do not necessarily reflect the views of the author’s employer or the techbeatly platform. We strive to ensure the accuracy and validity of the content published on our website. However, we cannot guarantee the absolute correctness or completeness of the information provided. It is the responsibility of the readers and users of this website to verify the accuracy and appropriateness of any information or opinions expressed within the articles. If you come across any content that you believe to be incorrect or invalid, please contact us immediately so that we can address the issue promptly.

Avatar photo
Red Hat ASEAN Senior Platform Consultant. Kubernetes, OpenShift and DevSecOps evangelist.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.