Architecture ============ - The users are not directly connected to the services running in OpenShift. There is always load-balancing HAProxy sitting in between. There is several implications: * The service will get request from HAProxy IP. I.e. IP-based authentication is not possible anymore. * If multiple service replicas running, by default HAProxy will distribute request in round-robin fashion. I.e. request from the user will be served by different replicas. If we have several running datbases which are not completely in sync, the user may get confusing changing data. This can be fixed by setting 'haproxy.router.openshift.io/balance' to 'source' in route metadata. Then, the destination replica will be determined based on the client IP. * HAProxy has configured a default timeout. If replica does not send data within '30s' the connection will be terminated. It can be increased with 'haproxy.router.openshift.io/timeout' in route metadata. * There is a several ways to configure certiciates for HTTPS services defined by type of tls termination in the route specification. With 'passthrough' the container is expected to handle certificates itself. In the edge termination mode, the certificates are configured in the route and HAProxy manages secure communication with clients and provides unencrypted data to the service in the cluster. - Sample metadata configuration for route: kind: Route metadata: annotations: haproxy.router.openshift.io/balance: 'source' haproxy.router.openshift.io/timeout: 300s Updating/Generating certificates for the router =============================================== - Generating key & csr request openssl genrsa -out kaas.key 4096 openssl req -new -key kaas.key -sha256 -nodes -out kaas.csr -config <( cat <<-EOF [ req ] default_bits = 4096 req_extensions = req_ext ... [ dn ] CN=kaas.kit.edu ... [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = kaas.kit.edu DNS.2 = *.kaas.kit.edu EOF ) - Installing * Two files are needed. 1) Secret Key 2) PEM file containing both certificate and secret key. And all certificates in the chain until the root certificate (the trusted root may be omitted, but including cause no problems either * New 'router-certs' secret should be created in 'default' namespace. Probably it is better to modify existing secret than delete/create. However, the strings can't just be copied. Easiest way is to create a new secret in temporary namespace: oc -n test secrets new router-certs tls.crt=kaas.pem tls.key=kaas.key and then copy 'tls.crt' and 'tls.key' values over. * To reload secret, the 'router' pods should be deleted (and automatically re-created by rc).