Exposing secure route to Presto (Java) server

Edit online

Secure routes provide the ability to use several types of TLS termination to serve certificates to the client. To expose a secure route to Presto (Java) server in IBM® watsonx.data, use the reencrypt route.

watsonx.data on Red Hat® OpenShift®

Attention: Use this procedure to expose a secure route to Presto (Java) server for watsonx.data v1.0.0 or v1.0.1.

For watsonx.data v1.0.2, routes are automatically created for each Presto (Java) engine that is provisioned.

Note: Routes must be exposed only when you need to access the Presto (Java) engine from outside the OpenShift cluster. Also, routes must be exposed for every new Presto (Java) engine that is provisioned, if a client from outside the OCP cluster needs to connect.

About this task

Complete the following steps to expose a secure route to Presto (Java) server in watsonx.data standalone deployment.

Procedure

  1. Log in to the OpenShift container.
    Use one of the following method to establish a session to your OpenShift server.
    1. Run the following command to log in to the cluster by providing a username and password:
      oc login \
--user=${OCP_USERNAME} \
--password=${OCP_PASSWORD} \
--server=${OCP_URL}
    2. Run the following command to log in to the cluster by providing a token:
      oc login \
--server=${OCP_URL} \
--token=${OCP_TOKEN}
  2. Set up the PROJECT_CPD_INST_OPERANDS environment variable pointing to the namespace where watsonx.data is installed. 
    export PROJECT_CPD_INST_OPERANDS=<wxd_namespace>
  3. Extract the self-signed TLS certificates. 
    oc extract secret/ibm-lh-tls-secret --keys=tls.crt -n ${PROJECT_CPD_INST_OPERANDS}
    The self-signed cert is extracted to tls.crt.
  4. Identify the engine and service name that you want to expose: 
    oc get wxdengine -n ${PROJECT_CPD_INST_OPERANDS} -o custom-columns='CR-NAME:metadata.name,ENGINE:spec.engineDisplayName,SERVICE:spec.engineUri' | sed 's/.'${PROJECT_CPD_INST_OPERANDS}'.svc.cluster.local//'
    Example:

    If you have two engines created for the Presto (Java) server:

    # oc get wxdengine -n ${PROJECT_CPD_INST_OPERANDS} -o custom-columns='CR-NAME:metadata.name,ENGINE:spec.engineDisplayName,SERVICE:spec.engineUri' | sed 's/.'${PROJECT_CPD_INST_OPERANDS}'.svc.cluster.local//'
CR-NAME               ENGINE      SERVICE
lakehouse-presto-01   presto-01   ibm-lh-lakehouse-presto-01-presto-svc
lakehouse-presto314   jsizto-01   ibm-lh-lakehouse-presto314-presto-svc
    1. Set up the ENGINE_SVC_TO_EXPOSE environment variable pointing to the SERVICE name of the engine route you want to expose. 
      export ENGINE_SVC_TO_EXPOSE=<SERVICE>
      Example:

      If you want to expose the secure route for engine presto-01, then set to this service:

      # export ENGINE_SVC_TO_EXPOSE=ibm-lh-lakehouse-presto-01-presto-svc
  5. Create a re-encrypt route to expose the engine. 
    oc create route reencrypt \
--service=${ENGINE_SVC_TO_EXPOSE} \
--dest-ca-cert=tls.crt \
--port 8443 -n ${PROJECT_CPD_INST_OPERANDS}
  6. Verify and record the new re-encrypt route. 
    oc get route -n ${PROJECT_CPD_INST_OPERANDS} ${ENGINE_SVC_TO_EXPOSE}

    The secure route is under the HOST/PORT column.

    Example:

    In this example, the secure route name is:
    ibm-lh-lakehouse-presto-01-presto-svc-cpd-instance.apps.example.cp.fyre.ibm.com
    # oc get route -n ${PROJECT_CPD_INST_OPERANDS} ${ENGINE_SVC_TO_EXPOSE}
NAME                                   HOST/PORT                                                                        PATH   SERVICES                               PORT  TERMINATION  WILDCARD
ibm-lh-lakehouse-presto-01-presto-svc  ibm-lh-lakehouse-presto-01-presto-svc-cpd-instance.apps.example.cp.fyre.ibm.com         ibm-lh-lakehouse-presto-01-presto-svc  8443  reencrypt    None
  7. To connect with the exposed Presto (Java) server, use the exposed secure route name as the hostname and use port 443 as port number with this route.

What to do next