15.1. Route configuration
15.1.1.Creating an HTTP-based route
A route allows you to host your app on a public URL. Depending on your application's network security configuration, it can be secured or unsecured. An HTTP-based route is an unsecured route that uses the basic HTTP routing protocol and exposes a service over an unsecured application port.
The following procedure describes how to create a simple HTTP-based route to a web application usinghallo-openshiftApplication as an example.
requirements
- You have installed the OpenShift CLI (
oc). - You are logged in as an administrator.
- You have a web application that exposes a port and a TCP endpoint that listens for traffic on the port.
Procedures
Create a project called
hallo-openshiftrunning the following command:$ oc new project hello-openshift
Create a pod in the project by running the following command:
$ oc create -f https://raw.githubusercontent.com/openshift/origin/master/examples/hello-openshift/hello-pod.json
Create a service called
hallo-openshiftrunning the following command:Exposure pod $oc/hello-openshift
Create an unsecured route to
hallo-openshiftapplication by running the following command:$ oc expõe svc hello-openshift
If you examine the result
Rotaresource, it should look like this:YAML definition of created unsecured route:
apiVersion: route.openshift.io/v1kind: Routemetadata: name: hello-openshiftspec: host: hello-openshift-hello-openshift.<Ingress_Domain>1port: targetPort: 8080 an: kind: Dienstname: hello-openshift- 1
<Ingress_Domain>is the default Ingress domain name.
observation
Run the following command to view your default input domain:
$ oc get ingresses.config/cluster -o jsonpath={.spec.domain}
15.1.2. Configure route timeouts
You can configure default timeouts for an existing route if you have services that require a low timeout required for service level availability (SLA) purposes or a high timeout for cases with a slow backend.
requirements
- You need an ingress controller deployed on a running cluster.
Procedures
Use of
ok commentCommand, add the timeout to the route:$ oc annotate route <route_name> \ --overwrite haproxy.router.openshift.io/timeout=<timeout><time_unit>1- 1
Supported time units are microseconds (us), milliseconds (ms), seconds (s), minutes (m), hours (h), or days (d).
The following example sets a two-second timeout for a route called
my route:$ oc anotar rota myroute --overwrite haproxy.router.openshift.io/timeout=2s
15.1.3. Enable HTTP Strict Transport Security
The HTTP Strict Transport Security (HSTS) policy is a security enhancement that ensures that only HTTPS traffic is allowed on the host. All HTTP requests are dropped by default. This is useful for ensuring secure interactions with websites or providing a secure application for the benefit of the user.
When HSTS is enabled, HSTS adds a Strict Transport Security header to HTTPS responses from the website. You can use the...insecure edge termination policyValue in a route to redirect to send HTTP to HTTPS. However, when HSTS is enabled, the client changes all HTTP URL requests to HTTPS before sending the request, so no redirects are required. This need not be supported by the client and can be disabled by settingMaximum age = 0.
Important
HSTS only works with secure (edge-terminated or re-encrypted) routes. The setting has no effect on HTTP or traversal routes.
Procedures
To enable HSTS on a route, add the
haproxy.router.openshift.io/hsts_headerValue for edge terminated or recoded route:(Video) How to Install & Deploy Red Hat Openshift | K21 AcademyapiVersion: v1kind: Routemetadata: Notas: haproxy.router.openshift.io/hsts_header: max-age=31536000;includeSubDomains;preload1 2 3
- 1
max-alteris the only required parameter. It measures the amount of time in seconds that the HSTS policy is in effect. The updated clientmax-alterwhenever a response with an HSTS header is received from the host. ifmax-alterexpires, the client discards the policy.- 2
includeSubDomainsit is optional. When included, informs the client that all subdomains of the host should be treated the same as the host.- 3
subpoenait is optional. ifmax-alteris greater than 0, then includingsubpoenaEmhaproxy.router.openshift.io/hsts_headerallows third-party services to include this site in their HSTS preload lists. For example, sites like Google can create a list of sites thatsubpoenaPhrase. Browsers can use these lists to determine which sites they can communicate with over HTTPS before interacting with the site. Withoutsubpoenais set, browsers must have interacted with the site over HTTPS to get the header.
15.1.4. Throughput Troubleshooting
Applications deployed via the OpenShift Container Platform can sometimes cause network throughput issues, for example B. Unusually high latency between certain services.
Use the following methods to analyze performance issues when pod logs do not reveal the root cause of the issue:
Use a packet analyzer like ping ortcpdumpto analyze traffic between a pod and its node.
For example, run the tcpdump tool on each pod while reproducing the behavior that caused the problem. Review the recordings on both sides to compare send and receive timestamps, and analyze the latency of traffic to and from a pod. Latency can occur on OpenShift Container Platform when a node interface is overloaded with traffic from other pods, storage devices, or data plane.
See AlsoOpenShift route: tutorial and examplesRoutes - Basic Concepts | ArchitectureCreate HTTPS-based encrypted URLs using routes$ tcpdump -s 0 -i qualquer -w /tmp/dump.pcap host <podip 1> && host <podip 2>1- 1
podipis the IP address of the pod. run thoseoc get pod <pod_name> -o wideCommand to get the IP address of a pod.
tcpdump creates a file in
/tmp/dump.pcapcontains all the traffic between these two pods. Ideally, you should run the analyzer just before reproducing the issue and stop it just after the issue is finished reproducing to minimize file size. You can also run a packet analyzer between nodes (taking SDN out of the equation) with:$ tcpdump -s 0 -i whatever -w /tmp/dump.pcap Port 4789
Use a bandwidth measurement tool like iperf to measure streaming throughput and UDP throughput. Run the tool first on pods and then on nodes to identify bottlenecks.
- Information on installing and using iperf can be found hereRed Hat's Solution.
15.1.5. Use of Cookies to Maintain Route Stability
The OpenShift Container Platform provides sticky sessions that allow stateful application traffic, ensuring that all traffic arrives at the same endpoint. However, if the terminal pod is terminated, either by rebooting, scaling, or changing configuration, this integrity can disappear.
OpenShift Container Platform may use cookies to configure session persistence. The ingress controller chooses an endpoint to handle all user requests and creates a cookie for the session. The cookie is sent back in response to the request, and the user sends the cookie back with the next request in the session. The cookie tells the ingress controller which endpoint is handling the session and ensures that client requests using the cookie are routed to the same pod.
observation
Cookies cannot be set on traversal routes because HTTP traffic is not visible. Instead, a number is calculated based on the source IP address, which the backend determines.
When backends change, traffic can be routed to the wrong server, making it less rigid. When using a load balancer that hides the source IP, all connections are set to the same number and traffic is sent to the same pod.
15.1.5.1. Annotate a route with a cookie
You can set a cookie name to replace the automatically generated default route name. This allows the application receiving the route traffic to know the name of the cookie. Clearing the cookie may force the next request to reselect an endpoint. So if a server has been overloaded, it tries to remove and redistribute client requests.
Procedures
Write down the route with the provided cookie name:
$ oc annotate broken <route_name> router.openshift.io/cookie_name="<cookie_name>"
Wo:
<route name>- Specifies the name of the route.
<Cookie-Name>- Specifies the name of the cookie.
For example, to comment the route
my_routewith the name of the cookiemein_cookie:$ oc anotar rota my_route router.openshift.io/cookie_name="my_cookie"
Capture the hostname of the route in a variable:
$ ROUTE_NAME=$(oc get route <route_name> -o jsonpath='{.spec.host}')Wo:
<route name>- Specifies the name of the route.
Save the cookie and access the route:
$ curl $ROUTE_NAME -k -c /tmp/cookie_jar
Use the cookie saved by the previous command when connecting to the route:
$ curl $ROUTE_NAME -k -b /tmp/cookie_jar
15.1.6. Path-based routes
Path-based routes specify a path component that can be compared to a URL, which requires traffic for the route to be HTTP-based. Thus, multiple routes can be served with the same hostname, each with a different path. Routers must at least match routes based on the most specific path. However, this depends on the router implementation.
The following table shows examples of routes and their accessibility:
Table 15.1. route availability
| Rota | when compared to | Accessible |
|---|---|---|
| www.example.com/test | www.example.com/test | E |
| www.beispiel.com | NO | |
| www.example.com/testEwww.beispiel.com | www.example.com/test | E |
| www.beispiel.com | E | |
| www.beispiel.com | www.example.com/text | Yes (matched by host, not route) |
| www.beispiel.com | E |
An unsafe route with a path
apiVersion: v1kind: Routemetadata: name: route-unsecuredspec: host: www.example.com path: "/test"1to: type: service name: service name- 1
The path is the only attribute added for a path-based route.
observation
Path-based routing is not available when using pass-through TLS because in this case the router does not terminate TLS and cannot read the contents of the request.
15.1.7. Route Specific Notes
The ingress controller can set default options for all the routes it provides. A single route can override some of these defaults by providing specific settings in your annotations. Red Hat does not support adding a route note to an operator-managed route.
Important
To whitelist multiple source IPs or subnets, use a space-separated list. Any other type of delimiter causes the list to be ignored without warning or error message.
Table 15.2. route notes
| Variable | Description | Environment variable used by default |
|---|---|---|
|
| Defines the load balancing algorithm. The available options are |
|
|
| Disables the use of cookies to track related connections. when defined | |
|
| Specifies an optional cookie to use for this route. The name must contain any combination of uppercase and lowercase letters, digits, "_" and "-". The default is the hashed internal key name for the route. | |
|
| Sets the maximum number of connections allowed from a Router to a Support Pod. | |
|
| Attitude | |
|
| Limits the number of simultaneous TCP connections established on the same source IP address. Accepts a numerical value. | |
|
| Limits the rate at which a client with the same source IP address can send HTTP requests. Accepts a numerical value. | |
|
| Limits the rate at which a client can establish TCP connections with the same source IP address. Accepts a numerical value. | |
|
| Sets a server-side timeout for the route. (units of time) |
|
|
| This timeout applies to a tunnel connection, e.g. B. WebSocket via plain text, edge, re-encryption or traversal routes. For plaintext, border, or reencryption route types, this annotation is applied as a timeout tunnel with the existing timeout value. For pass-through route types, the annotation takes precedence over any existing timeout value sets. |
|
|
| You can specify an IngressController or Ingress configuration. This annotation redeploys the router and configures the HA proxy to issue the haproxy |
|
|
| Defines the interval for backend health checks. (units of time) |
|
|
| Defines a whitelist for the route. The whitelist is a space-separated list of IP addresses and CIDR ranges for approved source addresses. Requests from IP addresses that are not whitelisted will be discarded. The maximum number of IP addresses and CIDR ranges allowed in a whitelist is 61. | |
|
| Defines a Strict-Transport-Security header for the edge-terminated or re-encrypted route. | |
|
| Put the | |
|
| Defines the request rewrite path on the backend. | |
|
| Sets a value to restrict cookies. The values are:
This value only applies to rekeying and edge routes. For more information, seeSameSite cookie documentation. | |
|
| Defines the handling policy
|
|
observation
Environment variables cannot be edited.
Router timeout variables
time unitsare represented by a number followed by the unit:us*(microseconds),EM(milliseconds, default),S(seconds),M(Protocol),H*(Standard),D(To take).
The regular expression is: [1-9][0-9]*(us\|EM\|S\|M\|H\|D).
| Variable | Standard | Description |
|---|---|---|
|
|
| Time interval between consecutive activity checks on backends. |
|
|
| Controls the TCP FIN timeout for the client connecting to the route. If the FIN sent to close the connection does not respond within the specified time, HAProxy closes the connection. This is harmless when the value is low and uses less resources on the router. |
|
|
| Amount of time a client has to confirm or submit data. |
|
|
| The maximum connection time. |
|
|
| Controls the router TCP FIN timeout for the pod supporting the route. |
|
|
| Amount of time a server has to acknowledge or send data. |
|
|
| Amount of time TCP or WebSocket connections remain open. This timeout period is reset when HAProxy is reloaded. |
|
|
| Set the maximum time to wait for a new HTTP request to appear. Setting the value too low can cause issues with browsers and apps that don't wait a bit. Some effective timeout values may be the sum of certain variables rather than the specific expected timeout. For example, |
|
|
| Amount of time the transmission of an HTTP request can take. |
|
|
| Allows the router the minimum frequency to reload and accept new changes. |
|
|
| Timeout for collecting HAProxy metrics. |
A custom route configuration timeout
apiVersion: v1kind: Routemetadata: Notas: haproxy.router.openshift.io/timeout: 5500ms1...- 1
Specifies the new timeout with supported HAProxy units (
us,EM,S,M,H,D). If the device is not provisioned,EMis the default.
observation
Setting a server-side timeout value for traversal routes too low can result in WebSocket connections on that route dropping frequently.
A route that only allows a specific IP address
Metadata: Notes: haproxy.router.openshift.io/ip_whitelist: 192.168.1.10
A route that allows multiple IP addresses
Metadata: Notes: haproxy.router.openshift.io/ip_whitelist: 192.168.1.10 192.168.1.11 192.168.1.12
A route that allows an IP address CIDR network
Metadata: Notes: haproxy.router.openshift.io/ip_whitelist:192.168.1.0/24
A route that allows IP address and IP address CIDR networks
Metadata: Notes: haproxy.router.openshift.io/ip_whitelist: 180.5.61.153 192.168.1.0/24 10.0.0.0/8
A route that specifies a rewrite target
apiVersion: v1kind: Routemetadata: Notas: haproxy.router.openshift.io/rewrite-target: /1...- 1
sets
/as the request rewrite path on the backend.
defining thehaproxy.router.openshift.io/rewrite-targetAnnotating a route tells the ingress controller to rewrite paths in HTTP requests using that route before forwarding the requests to the backend application. The portion of the request path that matches the path specified inspecification.pathwill be replaced with the rewrite target specified in the annotation.
The following table provides examples of path rewriting behavior for different combinations ofspecification.path, request the path and rewrite the destination.
Table 15.3. Examples of rewrite targets:
| route.specific.path | order path | rewrite goal | Forwarded request path |
|---|---|---|---|
| /fo | /fo | / | / |
| /fo | /foo/ | / | / |
| /fo | /foo/barra | / | /Bar |
| /fo | /foo/bar/ | / | /Bar/ |
| /fo | /fo | /Bar | /Bar |
| /fo | /foo/ | /Bar | /Bar/ |
| /fo | /foo/barra | /baz | /baz/bar |
| /fo | /foo/bar/ | /baz | /baz/bar/ |
| /foo/ | /fo | / | N/A (request path does not match route path) |
| /foo/ | /foo/ | / | / |
| /foo/ | /foo/barra | / | /Bar |
15.1.8. Configuring the Route Admission Policy
Administrators and application developers can run applications in multiple namespaces with the same domain name. This is intended for organizations where multiple teams are developing microservices exposed on the same hostname.
Notice
Cross namespace claims permission should only be enabled for clusters with cross namespace trust, otherwise a malicious user could hijack a hostname. For this reason, the default access policy does not allow hostname claims on namespaces.
requirements
- Cluster Administrator permissions.
Procedures
edit the
.spec.routeAdmissãoField ofinput controllerresource variable with the following command:$ oc -n openshift-ingress-operator patch ingresscontroller/default --patch '{"spec":{"routeAdmission":{"namespaceOwnership":"InterNamespaceAllowed"}}}' --type=mergeExample configuration for the Ingress controller
spec: routeAdmission: namespaceOwnership: InterNamespaceAllowed ...
15.1.9.Creating a route through an Ingress object
Some ecosystem components integrate with input resources but not route resources. To cover this case, OpenShift Container Platform automatically creates managed route objects when an Ingress object is created. These route objects are deleted when the corresponding Ingress objects are deleted.
Procedures
Define an Ingress object in the OpenShift Container Platform console or by entering the oc
to createCommand:YAML definition of an Ingress
apiVersion: networking.k8s.io/v1kind: Ingressmetadata: Name: Frontend Notes: route.openshift.io/termination: "reencrypt"1specification: rules: - host: www.example.com http: paths: - backend: service: name: frontend port: number: 443 path: / pathType: Prefix tls: - hosts: - www.example.com secretName: example-com-tls-zertifikat- 1
O
route.openshift.io/terminationThe annotation can be used to configure thespecification.tls.terminationField ofRotawithpenetrationthere is no field for it. The accepted values areRand,ticketEre-encrypt. All other values are silently ignored. If the annotation value is not defined,Randis the default route. TLS certificate details must be defined in the template file to implement the default edge route.If you specify the
ticketvalue notroute.openshift.io/terminationnote, sentenceAbsentFor''Ekind of wayForspecific implementationin specification:Specification: Rules: - Host: www.example.com http: Paths: - Path: '' Path Type: Implementation Specific Backend: Service: Name: Frontend Port: Number: 443
$ oc apply -f ingress.yaml
List your routes:
$oc Get Routes
The result contains an automatically generated route whose name starts with
Front-end-:NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARDfrontend-gnztq www.example.com frontend 443 re-encrypt/redirect None
If you look at this route, it looks like this:
YAML definition of an auto-generated route
apiVersion: route.openshift.io/v1kind: Routemetadata: name: frontend-gnztq ownerReferences: - apiVersion: networking.k8s.io/v1 controller: true type: Ingress name: frontend uid: 4e6c59cc-704d-4f44-b390-617d879033b6spec: host: www.example.com path: / port: destination port: https tls: certificate: | -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- insecureEdgeTerminationPolicy: Redirect Key: | -----BEGIN RSA PRIVATE KEY----- [...] -----END RSA PRIVATE KEY----- Termination: Recode to: Type: Service Name: Frontend
15.2. Safe Routes
Secure routes provide the ability to use different TLS termination types to provide certificates to the client. The following sections describe how to create rekey, edge, and passthrough routes with custom certificates.
Important
When creating routes in Microsoft Azure through public endpoints, resource names are subject to restrictions. You cannot create resources that use specific terms. For a list of Azure restricted terms, seeFix reserved resource name errorsin the Azure documentation.
15.2.1.Creating a re-encryption route with a custom certificate
You can set up a secure route by re-encrypting the TLS termination with a custom certificate using theoc create routeCommand.
requirements
- You must have a certificate/keypair in PEM encoded files where the certificate is valid for the route host.
- You can have a separate CA certificate in a PEM-encoded file that completes the certificate chain.
- You must have a separate target CA certificate in a PEM-encoded file.
- You must have a service that you want to make available.
observation
Password protected key files are not supported. Use the following command to remove a password from a key file:
$ openssl rsa -in password_protected_tls.key -out tls.key
Procedures
This procedure creates aRotaUse a custom certificate and re-encrypt the TLS termination. In the following, it is assumed that the certificate/key pair is in thetls.crtEtls.keyFiles in the current working directory. You must also provide a destination CA certificate so that the ingress controller can trust the service's certificate. You can also specify a CA certificate, if needed, to complete the certificate chain. Replace the actual pathnames withtls.crt,tls.key,cacert.crt, and (optional)ca.crt. Replace the name ofServiceResource you want to make availableFront-end. Substitute the appropriate hostname forwww.beispiel.com.
create a vault
RotaFeature that re-encrypts the TLS termination and uses a custom certificate:$ oc create route reencrypt --service=frontend --cert=tls.crt --key=tls.key --dest-ca-cert=destca.crt --ca-cert=ca.crt --hostname=www. beispiel.com
If you examine the result
Rotaresource, it should look like this:Secure route YAML definition
apiVersion: v1kind: Routemetadata: name: frontendspec: host: www.example.com to: kind: Dienstname: frontend tls:termination: reencrypt key: |- -----BEGIN PRIVATE KEY----- [.. . ] -----END PRIVATE KEY----- certificado: |- -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- caCertificado: | - -----BEGIN CERTIFICATE----- caCertificate: |- -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- destinationCACertificate: |- -----BEGIN CERTIFICATE----- [.. .] -----ENDE ZERTIFIKAT-----
Ver
oc create route reencrypt --helpfor more options.
15.2.2.Creating an Edge route with a custom certificate
You can configure a secure route with Edge TLS termination with a custom certificate using theoc create routeCommand. With an edge route, the ingress controller terminates TLS encryption before forwarding traffic to the Destination Pod. The route specifies the TLS certificate and key that the ingress controller uses for the route.
requirements
- You must have a certificate/keypair in PEM encoded files where the certificate is valid for the route host.
- You can have a separate CA certificate in a PEM-encoded file that completes the certificate chain.
- You must have a service that you want to make available.
observation
Password protected key files are not supported. Use the following command to remove a password from a key file:
$ openssl rsa -in password_protected_tls.key -out tls.key
Procedures
This procedure creates aRotaResource with a custom certificate and Edge TLS termination. In the following, it is assumed that the certificate/key pair is in thetls.crtEtls.keyFiles in the current working directory. You can also specify a CA certificate, if needed, to complete the certificate chain. Replace the actual pathnames withtls.crt,tls.key, and (optional)ca.crt. Substitute the name of the service you want to make availableFront-end. Substitute the appropriate hostname forwww.beispiel.com.
create a vault
RotaResource with Edge TLS termination and a custom certificate.$ oc route edge erstellen --service=frontend --cert=tls.crt --key=tls.key --ca-cert=ca.crt --hostname=www.example.com
If you examine the result
Rotaresource, it should look like this:Secure route YAML definition
apiVersion: v1kind: Routemetadata: name: frontendspec: host: www.example.com to: kind: Dienstname: frontend tls:termination: edge key: |- -----BEGIN PRIVATE KEY----- [.. . ] -----END PRIVATE KEY----- certificado: |- -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- caCertificado: | - -----BEGIN CERTIFICATE----- caCertificate: |- -----BEGINN ZERTIFIKAT----- [...] -----ENDE ZERTIFIKAT-----
Ver
oc create route limit --helpfor more options.
15.2.3.Creating a passing route
You can configure a secure route with passthrough termination using theoc create routeCommand. With pass-through termination, encrypted traffic is sent directly to the destination without the router providing TLS termination. Therefore, no key or certificate is needed on the route.
requirements
- You must have a service that you want to make available.
Procedures
To... create
RotaResource:$ oc route passthrough erstellen route-passthrough-secured --service=frontend --port=8080
If you examine the result
Rotaresource, it should look like this:A safe route with pass-through termination
apiVersion: v1kind: Routemetadata: name: route-passthrough-secured1Specification: Host: www.example.com Port: Destination port: 8080 tls: Termination: Passthrough2insecureEdgeTerminationPolicy: Nenhum3for: type: service name: frontend
- 1
The name of the object, limited to 63 characters.
- 2
O
conclusionfield is definedticket. This is the only one neededtlsFeld.- 3
Optional
insecure edge termination policy. The only valid values arenone,redirect, or blank for disabled.(Video) OpenShift Controlling Pod Scheduling Behavior (OpenShift Administration Part-8) RedHat Ex280
The destination pod is responsible for providing certificates to endpoint traffic. This is currently the only method that can support requiring client certificates, also known as two-way authentication.