OpenShift 4: Custom API URL Endpoint

Objective

On top of the standard api.<cluster_name>.<subdomain> as external API endpoint, we are going to serve this endpoint using custom URL as below:

• Custom API Endpoint: #
• A certificate signed with SAN for api-ext.local.bytewise.my

Refer to this article here if you want to have your own custom root CA.

Steps

1. Configure your load balancer and DNS to ensure “console.local.bytewise.my” will reach all masters node.

[root@bastion ~]# nslookup api-ext.local.bytewise.my
Server:		192.168.50.254
Address:	192.168.50.254#53

Name:	api-ext.local.bytewise.my
Address: 192.168.50.10

[root@bastion ~]# nslookup api.ocp4.local.bytewise.my
Server:		192.168.50.254
Address:	192.168.50.254#53

Name:	api.ocp4.local.bytewise.my
Address: 192.168.50.10

[root@bastion ~]# 

2. Create a TLS secret to host new hostname as the servingCertificate:

#> ls -lrt
total 16
-rwxrwxr-x. 1 mzali mzali  472 Mar 10 15:59 api-ext.local.bytewise.my.cnf
-rw-------. 1 mzali mzali 1679 Mar 10 16:00 api-ext.key
-rw-rw-r--. 1 mzali mzali 1115 Mar 10 16:00 api-ext.csr
-rw-rw-r--. 1 mzali mzali 1679 Mar 10 16:04 api-ext.crt

#> oc create secret tls api-cert --cert=api-ext.crt --key=api-ext.key -n openshift-config

3. Now patch the apiserver CR for new configuration to take effects:

# oc patch apiserver cluster \
     --type=merge -p \
     '{"spec":{"servingCerts": {"namedCertificates":
     [{"names": ["api-ext.local.bytewise.my"],
     "servingCertificate": {"name": "api-cert"}}]}}}'

4. Pods will restarting for new config to get in.

5. Finally , we can authenticate using custom URL:

#> curl -kv #
*   Trying 192.168.50.10:6443...
###### TRUNCATED #####
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=MY; ST=Selangor; L=Sepang; O=Red Hat; CN=api-ext.local.bytewise.my
*  start date: Mar 10 08:04:06 2020 GMT
*  expire date: Aug  4 08:04:06 2021 GMT
*  issuer: C=MY; ST=Selangor; L=Sepang; O=Red Hat; OU=GPS; emailAddress=mzali@redhat.com
*  SSL certificate verify ok.
###### TRUNCATED #####
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {
    
  },
  "code": 403
* Connection #0 to host api-ext.local.bytewise.my left intact
}


#> oc login -u mzali #
Authentication required for # (openshift)
Username: mzali
Password: 
Login successful.

You have access to 53 projects, the list has been suppressed. You can list all projects with 'oc projects'

Using project "default".
#> oc config get-contexts 
CURRENT   NAME                                                             CLUSTER                           AUTHINFO                                NAMESPACE 
*         default/api-ext-local-bytewise-my:6443/mzali                     api-ext-local-bytewise-my:6443    

Summary

While the default external API is sufficient, some user wanted this to be customized to suite their needs. This article shown the feasibility to use those configurations.