Digital Developer Conference: Hybrid Cloud 2021. On Sep 21, gain free hybrid cloud skills from experts and partners. Register now

Secure routes for your microservices on Red Hat OpenShift

Introduction

In Red Hat OpenShift, a router is deployed to your cluster that functions as the ingress endpoint for external network traffic. Basically, this route exposes the service for your application so that any external device can access it. There are four types of routes in OpenShift: simple, edge, passthrough, and re-encrypt. The simple route is unencrypted, doesn’t require TLS termination, and handles non-encrypted HTTP traffic. The rest of the routes handle HTTPS traffic in different ways:

  • Edge route: The TLS connection is terminated between the client and router service while the connection between the router service and app pod is unencrypted.
  • Passthrough route: The TLS connection doesn’t get interrupted from the client to the app pod, and the connection is terminated at the app pod level.
  • Re-encrypt route: The TLS connection between the client and router service is terminated, and then a new TLS connection between the router and service and the app pod is created.

In this tutorial, you learn the difference between these types of routes and create simple, edge, and passthrough routes.

Prerequisites

For this tutorial, you need:

Estimated time

Completing this tutorial should take about 30 minutes.

Log in from the CLI and create a project

  1. From the OpenShift web console, click your username at the top right and from the menu, and then click Copy Login Command.

    login

  2. Click Display Token.

  3. Copy and paste the oc login command into the IBM Cloud Shell.

  4. Create a project called my-route-project:

     oc new-project my-route-project
    

Create the application

  1. Create a new deployment resource using the ibmcom/guestbook:v2 docker image in the project that you just created:

     oc create deployment myguestbook --image=ibmcom/guestbook:v2
    

    This deployment creates the corresponding pod that’s in running state.

  2. Enter the following command to see the list of pods in your namespace:

     oc get pods
    
  3. Create a Kubernetes NodePort service for your app deployment. The service provides an internal IP address for the app that the router can send traffic to:

     oc expose deployment myguestbook --type="NodePort" --port=3000
    

Expose the route

  1. Enter the following command to view the service that you need to expose:

     oc get svc
    

    Notice that the application isn’t accessible externally; you have only exposed the deployment internally.

  2. Enter the following command to make the application externally accessible:

     oc expose svc myguestbook
    
  3. Enter the following command to get the route:

     oc get routes
    
  4. Copy the link under HOST/PORT and paste it into your browser. You are redirected to a web page similar to this:

    Web page not secure

    Notice that the web page is not secure because you haven’t used any type of encryption yet.

  5. Delete the route before moving to the next step (you will use the same application to create an edge route):

     oc delete route myguestbook
    

Extract the SSL cert secret

In this section, you extract and save the SSL cert secret of your cluster that you will use in the next steps for creating edge route and passthrough routes. The SSL cert secret is a default secret that is provided along with your cluster, and it includes a key and certificate pair that can be used for securing access to your applications. Normally, you would be issuing a signed certificate authority for your website, but for the sake of exploring different routes and how to use secrets, we will stick to using the default certificate and key. Now, let’s take a look at the secrets in the openshift-ingress project.

  1. You need the kubernetes.io/tls type TLS secret that’s generated for your cluster:

     oc get secrets -n openshift-ingress
    

    image

  2. View the secret values in your command line, using your TLS secret name:

     oc extract secret/<YOUR-TLS-SECRET-NAME> --to - -n openshift-ingress
    

    Notice that the key and certificate pair are saved in PEM encoded files.

    image

  3. Save the secret in a temporary directory:

     oc extract secret/<YOUR-TLS-SECRET-NAME> --to=/tmp -n openshift-ingress
    

    image

Create an edge route

  1. Create the edge route using the following command:

     oc create route edge --service myguestbook --key /tmp/tls.key --cert /tmp/tls.crt
    
  2. Use the following command to show the edge route that you just created. Copy the URL under HOST/PORT and paste it in your browser to view the application.

     oc get routes
    

    Copy the link under HOST/PORT and paste it into your browser. You are redirected to the same guestbook application, but notice that this time it is secure.

    image

  3. Check information about the secured website and certificate from the lock icon at the top left of the browser:

    image

    image

Create a Golang application

In this section, you deploy a new application that you will use for both passthrough and re-encrypt routes, and then you create a secret and mount it to the volume so that you can create the routes.

  1. Create the deployment config and service using the oc create command:

     oc create -f https://raw.githubusercontent.com/nerdingitout/oc-route/main/golang-https.yml
    
  2. Create the TLS secret using the same secret you extracted earlier:

     oc create secret tls mycert --cert /tmp/tls.crt --key /tmp/tls.key
    
  3. Mount the secret to your volume:

     oc set volume dc/golang-https --add -t secret -m /go/src/app/certs --name cert --secret-name mycert
    

Create a passthrough route

  1. Create the passthrough route:

     oc create route passthrough golang-https --service golang-https
    
  2. Use the following command to show the passthrough route that you just created.

     oc get routes
    

    Copy the URL under HOST/PORT and paste it into your browser to view the application. Notice that the termination type is passthrough:

    routes

  3. The application you just accessed is a simple hello application with an image. You can check information about the secured website and certificate from the lock icon at the top left of the browser. This proves that you have successfully created a secure application using passthrough termination.

    golang

Summary

This tutorial covered the basics of the different routes and basic knowledge around certificate authority and security. You learned how to extract secrets, use certificate and key pairs for secure routes, use secrets and mount them to volume, and create different routes and access your applications externally.

To learn more about secure routes on Red Hat OpenShift on IBM Cloud, check out the Exposing apps with routes in OpenShift 4 documentation.