Completing extra post-deployment tasks on ROKS

For most deployments on Red Hat OpenShift Kubernetes Service (ROKS), extra steps are needed to ensure that the environment works correctly.

About this task

To create routes with Transport Layer Security (TLS) termination reencryption on ROKS, you must provide the CA certificate, and the certificate and key for that component. Some components are configured to use routes with "reencrypt", and others are configured with "pass-through". For more information, see https://www.openshift.com/blog/self-serviced-end-to-end-encryption-approaches-for-applications-deployed-in-openshift.

Procedure

  1. Get the CA certificate ($DESTINATIONCACERTIFICATE). 
    kubectl get secret -o jsonpath="{ .data.tls\.crt }" "{{ meta.name }}-root-ca"  | base64 -d
  2. Get a certificate ($CERTIFICATE) and key ($CERT_KEY) for a specific component. 
    kubectl get secret -o jsonpath="{ .data.tls\.crt }" "{{ meta.name }}-XXX-ext-tls-secret" | base64 -d 
kubectl get secret -o jsonpath="{ .data.tls\.key }" "{{ meta.name }}-XXX-ext-tls-secret" | base64 -d
    Where XXX is the acronym of the component name and {{ meta.name }} can be found by running kubectl get svc -n <namespace> to get the current services. For Content Manager for example:
    kubectl get secret -o jsonpath="{ .data.tls\.crt }" "{{ meta.name }}-fncm-ext-tls-secret" | base64 -d 
kubectl get secret -o jsonpath="{ .data.tls\.key }" "{{ meta.name }}-fncm-ext-tls-secret" | base64 -d
  3. Create the routes by using YAML files or the ROKS console with the retrieved certificates and keys.

    The following YAML shows an example of a route object where the retrieved certificates and key are replaced with the values from steps 1 and 2.

    ################################################################################
#
# Licensed Materials - Property of IBM
#
# (C) Copyright IBM Corp. 2019 - 2020. All Rights Reserved.
#
# US Government Users Restricted Rights - Use, duplication or
# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
#
###############################################################################
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: '{{ meta.name }}-<XXX>-route'
  namespace: '{{ meta.namespace }}'
  annotations:
    haproxy.router.openshift.io/balance: roundrobin
    haproxy.router.openshift.io/timeout: 300s
    router.openshift.io/sticky_cookie: -sticky_cookie_annotation
  labels:
    servicename: '{{ meta.name }}-<XXX>-svc'
    app: '{{ meta.name }}'
    app.kubernetes.io/instance: '{{ meta.name }}'
    app.kubernetes.io/managed-by: '{{ meta.name }}'
    app.kubernetes.io/name: '{{ meta.name }}'
    release: "20.0.3"
spec:
  port:
    targetPort: https
  to:
    kind: Service
    name: '{{ meta.name }}-<XXX>-svc'
    weight: 100
  wildcardPolicy: None
  tls:
    insecureEdgeTerminationPolicy: Redirect
    termination: reencrypt
    key: |-
    $CERT_KEY 
    certificate: |-
    $CERTIFICATE 
    destinationCACertificate: |-
    $DESTINATIONCACERTIFICATE
  4.  New in 20.0.3  If you enabled ingress, you can get a list of ingress objects by running the following command. 
    ibmcloud oc cluster get --cluster <clusterID> | grep Ingress