mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
83 lines
2.4 KiB
Plaintext
83 lines
2.4 KiB
Plaintext
// This is included in the following assemblies:
|
|
//
|
|
// * networking/routes/route-configuration.adoc
|
|
// * microshift_networking/microshift-configuring-routes.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="nw-ingress-re-encrypt-route-custom-cert_{context}"]
|
|
= Creating a route using the destination CA certificate in the Ingress annotation
|
|
|
|
[role="_abstract"]
|
|
To define a route with a custom destination CA certificate, apply the `route.openshift.io/destination-ca-certificate-secret` annotation to an Ingress object. This configuration ensures the Ingress Controller uses the specified secret to verify the identity of the destination service.
|
|
|
|
.Prerequisites
|
|
|
|
* You have a certificate/key pair in PEM-encoded files, where the certificate is valid for the route host.
|
|
* You have a separate CA certificate in a PEM-encoded file that completes the certificate chain.
|
|
* You have a separate destination CA certificate in a PEM-encoded file.
|
|
* You have a service that you want to expose.
|
|
|
|
.Procedure
|
|
|
|
. Create a secret for the destination CA certificate by entering the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc create secret generic dest-ca-cert --from-file=tls.crt=<file_path>
|
|
----
|
|
+
|
|
For example:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc -n test-ns create secret generic dest-ca-cert --from-file=tls.crt=tls.crt
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
secret/dest-ca-cert created
|
|
----
|
|
|
|
. Add the `route.openshift.io/destination-ca-certificate-secret` to the Ingress annotations:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
name: frontend
|
|
annotations:
|
|
route.openshift.io/termination: "reencrypt"
|
|
route.openshift.io/destination-ca-certificate-secret: secret-ca-cert
|
|
...
|
|
----
|
|
+
|
|
where:
|
|
+
|
|
`destination-ca-certificate-secret`:: Specifies the `route.openshift.io/destination-ca-certificate-secret` annotation. The annotation references a Kubernetes secret.
|
|
+
|
|
The Ingress Controller inserts a secret that is referenced in the annotation into the generated route.
|
|
+
|
|
.Example output
|
|
[source,yaml]
|
|
----
|
|
apiVersion: route.openshift.io/v1
|
|
kind: Route
|
|
metadata:
|
|
name: frontend
|
|
annotations:
|
|
route.openshift.io/termination: reencrypt
|
|
route.openshift.io/destination-ca-certificate-secret: secret-ca-cert
|
|
spec:
|
|
...
|
|
tls:
|
|
insecureEdgeTerminationPolicy: Redirect
|
|
termination: reencrypt
|
|
destinationCACertificate: |
|
|
-----BEGIN CERTIFICATE-----
|
|
[...]
|
|
-----END CERTIFICATE-----
|
|
...
|
|
----
|