Secure routes provide the ability to use several types of TLS termination to serve
certificates to the client. To expose a secure route to Presto (Java) server in IBM®
watsonx.data, use the reencrypt
route.
watsonx.data on Red Hat® OpenShift®
Attention: Use this procedure to expose a secure route to
Presto (Java) server for
watsonx.data v1.0.0 or v1.0.1.
For watsonx.data v1.0.2, routes are automatically created
for each Presto (Java) engine that is provisioned.
Note: Routes must be exposed only when you need to access the Presto (Java) engine from outside the OpenShift cluster. Also, routes must be exposed for every new Presto (Java) engine that is provisioned, if a client from outside the OCP cluster needs to connect.
About this task
Complete the following steps to expose a secure route to Presto (Java) server in watsonx.data standalone deployment.
Procedure
-
Log in to the OpenShift container.
Use one of the following method to establish a session to your OpenShift server.
- Run the following command to log in to the cluster by providing a username and
password:
oc login \
--user=${OCP_USERNAME} \
--password=${OCP_PASSWORD} \
--server=${OCP_URL}
- Run the following command to log in to the cluster by providing a
token:
oc login \
--server=${OCP_URL} \
--token=${OCP_TOKEN}
-
Set up the
PROJECT_CPD_INST_OPERANDS
environment variable pointing to the
namespace where watsonx.data is installed.
export PROJECT_CPD_INST_OPERANDS=<wxd_namespace>
-
Extract the self-signed TLS
certificates.
oc extract secret/ibm-lh-tls-secret --keys=tls.crt -n ${PROJECT_CPD_INST_OPERANDS}
The
self-signed cert is extracted to
tls.crt
.
-
Identify the engine and service name that you want to
expose:
oc get wxdengine -n ${PROJECT_CPD_INST_OPERANDS} -o custom-columns='CR-NAME:metadata.name,ENGINE:spec.engineDisplayName,SERVICE:spec.engineUri' | sed 's/.'${PROJECT_CPD_INST_OPERANDS}'.svc.cluster.local//'
Example:
If you have two engines created for the Presto (Java)
server:
# oc get wxdengine -n ${PROJECT_CPD_INST_OPERANDS} -o custom-columns='CR-NAME:metadata.name,ENGINE:spec.engineDisplayName,SERVICE:spec.engineUri' | sed 's/.'${PROJECT_CPD_INST_OPERANDS}'.svc.cluster.local//'
CR-NAME ENGINE SERVICE
lakehouse-presto-01 presto-01 ibm-lh-lakehouse-presto-01-presto-svc
lakehouse-presto314 jsizto-01 ibm-lh-lakehouse-presto314-presto-svc
- Set up the
ENGINE_SVC_TO_EXPOSE
environment variable pointing to the
SERVICE
name of the engine route you want to
expose. export ENGINE_SVC_TO_EXPOSE=<SERVICE>
Example:
If you want to
expose the secure route for engine presto-01
, then set to this
service:
# export ENGINE_SVC_TO_EXPOSE=ibm-lh-lakehouse-presto-01-presto-svc
-
Create a re-encrypt route to expose the engine.
oc create route reencrypt \
--service=${ENGINE_SVC_TO_EXPOSE} \
--dest-ca-cert=tls.crt \
--port 8443 -n ${PROJECT_CPD_INST_OPERANDS}
-
Verify and record the new re-encrypt
route.
oc get route -n ${PROJECT_CPD_INST_OPERANDS} ${ENGINE_SVC_TO_EXPOSE}
The
secure route is under the HOST/PORT column.
Example:
In this example, the secure route name
is:
ibm-lh-lakehouse-presto-01-presto-svc-cpd-instance.apps.example.cp.fyre.ibm.com
# oc get route -n ${PROJECT_CPD_INST_OPERANDS} ${ENGINE_SVC_TO_EXPOSE}
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
ibm-lh-lakehouse-presto-01-presto-svc ibm-lh-lakehouse-presto-01-presto-svc-cpd-instance.apps.example.cp.fyre.ibm.com ibm-lh-lakehouse-presto-01-presto-svc 8443 reencrypt None
-
To connect with the exposed Presto (Java) server, use the exposed secure route name as the hostname
and use port 443 as port number with this route.