blob: f535d46bd1146ffb229c3c068b92fb702e2e49a7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
Architecture
============
- The users are not directly connected to the services running in OpenShift. There is always
load-balancing HAProxy sitting in between. There is several implications:
* The service will get request from HAProxy IP. I.e. IP-based authentication is not possible
anymore.
* If multiple service replicas running, by default HAProxy will distribute request in round-robin
fashion. I.e. request from the user will be served by different replicas. If we have several running
datbases which are not completely in sync, the user may get confusing changing data. This can be fixed
by setting 'haproxy.router.openshift.io/balance' to 'source' in route metadata. Then, the destination
replica will be determined based on the client IP.
* HAProxy has configured a default timeout. If replica does not send data within '30s' the connection
will be terminated. It can be increased with 'haproxy.router.openshift.io/timeout'
* There is a several ways to configure certiciates for HTTPS services defined by type of tls termination
in the route specification. With 'passthrough' the container is expected to handle certificates itself.
In the edge termination mode, the certificates are configured in the route and HAProxy manages secure
communication with clients and provides unencrypted data to the service in the cluster.
Updating/Generating certificates for the router
===============================================
- Generating key & csr request
openssl genrsa -out kaas.key 4096
openssl req -new -key kaas.key -sha256 -nodes -out kaas.csr -config <(
cat <<-EOF
[ req ]
default_bits = 4096
req_extensions = req_ext
...
[ dn ]
CN=kaas.kit.edu
...
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = kaas.kit.edu
DNS.2 = *.kaas.kit.edu
EOF
)
- Installing
* Two files are needed.
1) Secret Key
2) PEM file containing both certificate and secret key. No CA certificate is needed (at least if our
certifcate is signed by known CA)
* New 'router-certs' secret should be created in 'default' namespace. Probably it is better to
modify existing secret than delete/create. However, the strings can't just be copied. Easiest way
is to create a new secret in temporary namespace:
oc -n test secrets new router-certs tls.crt=kaas.pem tls.key=kaas.key
and then copy 'tls.crt' and 'tls.key' values over.
* To reload secret, the 'router' pods should be deleted (and automatically re-created by rc).
|