OpenShift route: tutorial and examples (2023)

Openshift is a cloud-based Kubernetes service from RedHat. OpenShift routes allow access to pods (one or more containers deployed in a cluster) from external resources. In most cases, applications deployed on OpenShift expose external endpoints outside of the cluster through a router.

For example, if yourKubernetes workloadis a web API (or any other interface that external users need to access), you need to provide a path to the specific service or pod in OpenShift to access the required application or service. Each route consists of a name (limited to 63 characters), a service selector, and optional security settings.

To help you better understand the topic, we'll take a closer look at the types of OpenShift routes and the different methods for configuring and troubleshooting them.

OpenShift route types

There are two types of OpenShift routes:

1. HTTP routes (non-secure routes)
2. HTTPS routes (secure routes)

Let's start by looking at an example of an unsecured route.

OpenShift insecure routes

Insecure routes in OpenShift use plain text HTTP communication. You can create OpenShift routes via the GUI/web console or CLI (command line interface). Next we will see the two methods.

INFOGRAPHIC POSTER

See Also

Chapter 15. Configuring Routes OpenShift Container Platform 4.6 | Red Hat Customer PortalRoutes - Basic Concepts | ArchitectureCreate HTTPS-based encrypted URLs using routes

Do you know the 12 risks of Kubernetes resource management?

Kubernetes architects and engineers immediately find value in seeing the spread of resource risks. Download the K8s 12 Risks Resource Poster now!

Download the free infographic poster

How to create an unsecured route using the web console

To create a route using the web console, go to the "Routes" page in the "Application" section. Select the "Create route" option to configure and create the route.

How to create an unsecured route using CLI

Use the following command to create an unsecured route

$oc expose svc/service --hostname=www.example.com

This command exposes the service in the URLwww.ejemplo.com. External users will be redirected to the service calledservicewhen accessing the urlwww.ejemplo.com.

The following is the YAML definition for the unsafe path object:

apiVersion: route.openshift.io/v1 type: route metadata: name: unsafe route specification: host: www.example.com to: type: service name: service name

Unsecured routes are much easier to maintain because they don't require a key or certificate.

Routes based on OpenShift routes

Route-based routes allow you to specify a route within a route. It is then matched against a URL to allow or deny traffic. The traffic for a route-based route must be HTTP-based (not secure). The same hostname can be used to configure multiple routes, each with its own route. The URL is compared to the routes and the most specific route (best match) is chosen. In the case of multiple paths, the comparison will proceed to the next path until the best match is found. This is all configurable and the reference points can be set on the router. The hostname and routes are sent back to the server so that it can successfully respond to your requests.

For example, if the pathwww.ejemplo.com/pruebais matched against the URLwww.ejemplo.com/pruebaallow traffic. However, it will not allow traffic compared to a URL fromwww.ejemplo.com.

On the other hand, if the route www.example.com is compared with the URLwww.ejemplo.com/prueba, it will allow traffic based on the host match and not the route.

Here's the YAML for an unsafe route with a route:

apiVersion: route.openshift.io/v1 type: Route metadata: name: non-secure route specification: host: www.example.com route: "/test" (1) to: type: service name: service name

📝 Note: Defining a route is the only additional attribute in route-based routing. Route-based routing is not secure and does not support TLS termination.

To see more examples, visit theOpenShift Route-Based Routing Documentation.

OpenShift secure routes

As the name suggests, secure routes are secured with TLS by providing a key and a certificate. Secure routes offer multiple TLS terminations to deliver certificates to the client. A TLS termination is the process of decrypting encrypted traffic. In OpenShift, TLS termination means terminating the TLS encryption before passing traffic to the required service or pod. The routers support edge termination, passthrough, and new encryption.

TLS termination in OpenShift uses SNI (Server Name Indication). SNI is an extension of the Transport Layer Security (TLS) network protocol. The client indicates which hostname it is trying to connect to at the beginning of the TLS handshake.

Non-SNI traffic routed to the secure port (default 443) receives a default certificate that is unlikely to match the hostname, resulting in an authentication failure.

You can learn more aboutsecure routes in the OpenShift Route documentation.

OpenShift and the SNI communication flow

Below is an overview of an SNI communication flow:

Secure routes can use one of three types of secure TLS termination. The type of termination is determined by where the encryption ends. The three types of termination are:

1. edge termination- Ends encryption on the router.
2. transfer termination- The termination is passed from the router directly to the pod.
3. End of recryption- It's like Edge Termination, but adds encapsulation.

In the following sections, we'll take a closer look at each type of termination.

edge termination

Edge termination ends the encryption on the router. All communication back to the router is secure, and any communication from the router to the endpoints is not. Since the encryption at the edge termination ends at the router, the TLS certificate must be added to the route. If no certificate is specified, the router's default certificate will be used and authentication will likely fail.

The following screenshot shows how edge termination is configured using a GUI. Note that there is an option on the screenshot below to handle "unsafe traffic". Edge termination allows three different ways to handle insecure traffic. It can be blocked, allowed or redirected.

The following command is used to create a secure path with edge termination

$oc create rotation edge --service=safe-edge-path --cert=tls.crt --key=tls.key --ca-cert=ca.crt --hostname=www.example.com

Observation: The certificate/key pair must be created in PEM-encoded format and must exist in the path folder before running the above command.

The following is the YAML for a secure route that uses edge termination:

apiVersion: route.openshift.io/v1 type: route metadata: name: secure-edge-route (1) specification: host: www.example.com to: type: service name: secure-edge-route tls: termination: edge (2) key: |- (3) -----START PRIVATE KEY----- [...] -----END PRIVATE KEY----- certificate: |- (4) -- ---START CERTIFICATE----- [...] -----END CERTIFICATE----- caCertificate: |- (5) -----START CERTIFICATE----- [. .. ] -----END OF CERTIFICATE-----

1. OnameThe field is used to name the object and is limited to 63 characters.
2. Oterminationthe field isshouldfor edge termination.
3. OkeyThe field is where the content of the PEM key is entered.
4. OcertificateThe field is for the content of the certificate in PEM format.
5. cCertificate It is optional, but you may need to enter the CA (Certificate Authority) certificate for successful authentication.

insecureEdgeTerminationPolicyis the attribute that is used to configure what happens with this type of traffic. The three values ​​that represent the goal discussed above areNoneor empty,To alloworedirect.

The following is the YAML for a secure route that uses edge termination that allows HTTP traffic:

apiVersion: route.openshift.io/v1 type: route metadata: name: route-edge-secured-allow-insecure(1) spec: host: www.example.com to: type: service name: tls service name :termination: edge(2) insecureEdgeTerminationPolicy: Permitir(3) [ ... ]

1. OnameThe field is used to name the object and is limited to 63 characters.
2. Oterminationthe field isshouldfor edge termination.
3. insecureEdgeTerminationPolicyThe field is used to configure what happens with insecure traffic. In the YAML file example above, insecure traffic is allowed.

The following is the YAML for a secure route that uses the edge termination that redirects HTTP traffic to HTTPS:

apiVersion: route.openshift.io/v1 type: Route metadata: name: route-edge-secured-redirect-insecure(1) spec: host: www.example.com to: type: Service name: tls service name : Termination : edge(2) insecureEdgeTerminationPolicy: Redirigir(3) [ ... ]

1. OnameThe field is used to name the object and is limited to 63 characters.
2. Oterminationthe field isshouldfor edge termination.
3. insecureEdgeTerminationPolicyThe field is used to configure what happens with insecure traffic. In the YAML file example above, insecure traffic is redirected to HTTPS.