Skip to content

Instantly share code, notes, and snippets.

@jeesmon

jeesmon/ocp-custom-domain.md

Created February 28, 2022 14:57
Show Gist options
  • Save jeesmon/68741a6b00f4495f8a32fd5fdec69262 to your computer and use it in GitHub Desktop.
Save jeesmon/68741a6b00f4495f8a32fd5fdec69262 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ocp-custom-domain.md

When you provision an Openshift cluster, your cloud provider assign a publicly accessible ingress domain for your cluster. For example in Azure, you get something like apps.xxx.eastus2.aroapp.io and in ROKS on Satellite, you will get something like xxxx-0b75760e3yyy00a0-0000.upi.containers.appdomain.cloud. Cloud provider will also setup a wildcard SSL cert for your domain. As long as you create routes/secure-routes under that ingress domain you will be fine most of the time. But for a customer application, it may not be ideal to use the ingress domain provided by cloud provider. If you want to use a custom domain for your routes, these are the sample steps you can follow.

  1. Register a domain with a domain registrar. For example purpose, say k8s4.dev registered at domains.google.com.

  2. Obtain a wildcard certificate for your domain *.k8s4.dev. This step is needed only if you want to create secured routes which is default now a days.

If you want to use Let’s Encrypt (A nonprofit Certificate Authority providing free TLS certificates) for your cert, you can generate one with the following commands on your Mac (These certs will expire every 90 days and you need to renew them).

brew install certbot
sudo certbot certonly --manual --preferred-challenges=dns --email <email> --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d "*.k8s4.dev"

  1. In the DNS settings of your domain, add a CNAME for your route (ex: hello-route-azure CNAME hello-route-azure.apps.xxxx.eastus2.aroapp.io). Note the hello-route-azure prefix to the ingress domain of the cloud provider. It can be anything as <anything>.apps.xxxx.eastus2.aroapp.io will resolve to your cluster.

  2. In your openshift cluster, create a route for your service with your custom domain as hostname (ex: hello-route-azure.k8s4.dev). If everything configured correctly, http://<your_hostname> should open your app (ex: http://hello-route-azure.k8s4.dev)

  3. If you want to use your custom domain for a secured route (https), when you create route you also need to provide cert and key from Step 2 in PEM format (ex: https://hello-route-azure.k8s4.dev)

  4. If you want to use your custom domain for Istio TLS Routes, you need to create a kubernetes tls secret from your cert and key in istio-system namespace and use the secret name in your Istio Gateway spec (ex: https://hello-istio-azure.k8s4.dev)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment