$ openssl rsa -in password_protected_tls.key -out tls.key- Documentation
- OKD
- Networking
- Ingress and load balancing
- Routes
- Creating advanced routes
- Overview
- What's new?
- Architecture
- Disconnected environments
- About disconnected environments
- Converting a connected cluster to a disconnected cluster
- About disconnected installation mirroring
- Creating a mirror registry with mirror registry for Red Hat OpenShift
- Mirroring images for a disconnected installation using oc-mirror plugin v2
- Migrating from oc-mirror plugin v1 to v2
- Mirroring images for a disconnected installation using the oc-mirror plugin v1
- Mirroring images for a disconnected installation by using the oc adm command
- Installing a cluster in a disconnected environment
- Using OLM in disconnected environments
- Updating a cluster in a disconnected environment
- Installing
- Installation overview
- Installing on Alibaba Cloud
- Installing on AWS
- Installation methods
- Configuring an AWS account
- Installer-provisioned infrastructure
- Preparing to install a cluster
- Installing a cluster
- Installing a cluster with customizations
- Installing a cluster in a disconnected environment
- Installing a cluster into an existing VPC
- Installing a private cluster
- Installing a cluster in a specialized region
- Installing a cluster with compute nodes on Local Zones
- Installing a cluster with compute nodes on Wavelength Zones
- Extending an AWS VPC cluster into an AWS Outpost
- Installing an AWS cluster with the support for configuring multi-architecture compute machines
- User-provisioned infrastructure
- Installing a three-node cluster
- Uninstalling a cluster
- Installation configuration parameters
- Installing on Azure
- Installing on Azure Stack Hub
- Installing on Google Cloud
- Preparing to install on Google Cloud
- Configuring a Google Cloud project
- Installing a cluster quickly on Google Cloud
- Installing a cluster on Google Cloud with customizations
- Installing a cluster on Google Cloud in a disconnected environment
- Installing a cluster on Google Cloud into an existing VPC
- Installing a cluster on Google Cloud into a shared VPC
- Installing a private cluster on Google Cloud
- Installing a cluster on Google Cloud using Deployment Manager templates
- Installing a cluster into a shared VPC on Google Cloud using Deployment Manager templates
- Installing a cluster on Google Cloud in a disconnected environment with user-provisioned infrastructure
- Installing a three-node cluster on Google Cloud
- Installation configuration parameters for Google Cloud
- Uninstalling a cluster on Google Cloud
- Installing a Google Cloud cluster with the support for configuring multi-architecture compute machines
- Installing on IBM Cloud
- Preparing to install on IBM Cloud
- Configuring an IBM Cloud account
- Configuring IAM for IBM Cloud
- User-managed encryption
- Installing a cluster on IBM Cloud with customizations
- Installing a cluster on IBM Cloud into an existing VPC
- Installing a private cluster on IBM Cloud
- Installing a cluster on IBM Cloud in a disconnected environment
- Installation configuration parameters for IBM Cloud
- Uninstalling a cluster on IBM Cloud
- Installing on Nutanix
- Installing on a single node
- Installing a Two Node OpenShift Cluster
- Installing on bare metal
- Preparing to install on bare metal
- User-provisioned infrastructure
- Installing a user-provisioned cluster on bare metal
- Installing a user-provisioned bare metal cluster with network customizations
- Installing a user-provisioned bare metal cluster on a disconnected environment
- Scaling a user-provisioned installation with the bare metal operator
- Installation configuration parameters for bare metal
- Installer-provisioned infrastructure
- Postinstallation configuration
- Expanding the cluster
- Using bare metal as a service
- Installing IBM Cloud Bare Metal (Classic)
- Installing on OpenStack
- Preparing to install on OpenStack
- Preparing to install a cluster that uses SR-IOV or OVS-DPDK on OpenStack
- Installing a cluster on OpenStack with customizations
- Installing a cluster on OpenStack on your own infrastructure
- Installing a cluster on OpenStack in a disconnected environment
- Installing a three-node cluster on OpenStack
- Configuring network settings after installing OpenStack
- OpenStack Cloud Controller Manager reference guide
- Deploying on OpenStack with rootVolume and etcd on local disk
- Uninstalling a cluster on OpenStack
- Uninstalling a cluster on OpenStack from your own infrastructure
- Installation configuration parameters for OpenStack
- Installing on Oracle Distributed Cloud
- Installing on VMware vSphere
- Installation methods
- Installer-provisioned infrastructure
- User-provisioned infrastructure
- Installing a three-node cluster
- Uninstalling a cluster
- Using the vSphere Problem Detector Operator
- Installation configuration parameters
- Regions and zones for a VMware vCenter
- Enabling encryption on a vSphere cluster
- Configuring the vSphere connection settings after an installation
- Installing on any platform
- Installation configuration
- Validation and troubleshooting
- Postinstallation configuration
- Configuring a private cluster
- Cluster tasks
- Node tasks
- Postinstallation network configuration
- Configuring image streams and image registries
- Storage configuration
- Preparing for users
- Changing the cloud provider credentials configuration
- Configuring alert notifications
- Converting a connected cluster to a disconnected cluster
- Updating clusters
- Updating clusters overview
- Understanding OpenShift updates
- Preparing to update a cluster
- Performing a cluster update
- Updating a cluster using the CLI
- Updating a cluster using the web console
- Performing a canary rollout update
- Updating a cluster in a disconnected environment
- Updating hardware on nodes running on vSphere
- Migrating to a cluster with multi-architecture compute machines
- Updating the boot loader on Fedora CoreOS nodes using bootupd
- Troubleshooting a cluster update
- Support
- Support overview
- Managing your cluster resources
- Remote health monitoring with connected clusters
- About remote health monitoring
- Showing data collected by remote health monitoring
- Remote health reporting
- Using Insights to identify issues with your cluster
- Using the Insights Operator
- Using remote health reporting in a disconnected environment
- Importing simple content access entitlements with Insights Operator
- Gathering data about your cluster
- Summarizing cluster specifications
- Troubleshooting
- Troubleshooting installations
- Verifying node health
- Troubleshooting CRI-O container runtime issues
- Troubleshooting operating system issues
- Troubleshooting network issues
- Troubleshooting Operator issues
- Investigating pod issues
- Troubleshooting the Source-to-Image process
- Troubleshooting storage issues
- Troubleshooting Windows container workload issues
- Investigating monitoring issues
- Diagnosing OpenShift CLI (oc) issues
- Web console
- Web console overview
- Accessing the web console
- Using the OpenShift Container Platform dashboard to get cluster information
- Adding user preferences
- Configuring the web console
- Customizing the web console
- Dynamic plugins
- Disabling the web console
- Creating quick start tutorials
- Optional capabilities and products
- CLI tools
- Security and compliance
- Security and compliance overview
- Container security
- Understanding container security
- Understanding host and VM security
- Container image signatures
- Hardening Fedora CoreOS
- Understanding compliance
- Securing container content
- Using container registries securely
- Securing the build process
- Deploying containers
- Securing the container platform
- Securing networks
- Securing attached storage
- Monitoring cluster events and logs
- Configuring certificates
- Certificate types and descriptions
- User-provided certificates for the API server
- Proxy certificates
- Service CA certificates
- Node certificates
- Bootstrap certificates
- etcd certificates
- OLM certificates
- Aggregated API client certificates
- Machine Config Operator certificates
- User-provided certificates for default ingress
- Ingress certificates
- Monitoring and cluster logging Operator component certificates
- Control plane certificates
- Compliance Operator
- File Integrity Operator
- File Integrity Operator Overview
- File Integrity Operator release notes
- File Integrity Operator support
- Installing the File Integrity Operator
- Updating the File Integrity Operator
- Understanding the File Integrity Operator
- Configuring the File Integrity Operator
- Performing advanced File Integrity Operator tasks
- Troubleshooting the File Integrity Operator
- Uninstalling the File Integrity Operator
- Security Profiles Operator
- Security Profiles Operator overview
- Security Profiles Operator release notes
- Security Profiles Operator support
- Understanding the Security Profiles Operator
- Enabling the Security Profiles Operator
- Managing seccomp profiles
- Managing SELinux profiles
- Advanced Security Profiles Operator tasks
- Troubleshooting the Security Profiles Operator
- Uninstalling the Security Profiles Operator
- Viewing audit logs
- Configuring the audit log policy
- Configuring TLS security profiles
- Configuring seccomp profiles
- Allowing JavaScript-based access to the API server from additional hosts
- Scanning pods for vulnerabilities
- Network-Bound Disk Encryption (NBDE)
- Authentication and authorization
- Authentication and authorization overview
- Understanding authentication
- Configuring the internal OAuth server
- Configuring OAuth clients
- Managing user-owned OAuth access tokens
- Understanding identity provider configuration
- Configuring identity providers
- Configuring an htpasswd identity provider
- Configuring a Keystone identity provider
- Configuring an LDAP identity provider
- Configuring a basic authentication identity provider
- Configuring a request header identity provider
- Configuring a GitHub or GitHub Enterprise identity provider
- Configuring a GitLab identity provider
- Configuring a Google identity provider
- Configuring an OpenID Connect identity provider
- Enabling direct authentication with an OIDC identity provider
- Using RBAC to define and apply permissions
- Removing the kubeadmin user
- Understanding and creating service accounts
- Using service accounts in applications
- Using a service account as an OAuth client
- Scoping tokens
- Using bound service account tokens
- Managing security context constraints
- Understanding and managing pod security admission
- Impersonating the system:admin user
- Syncing LDAP groups
- Managing cloud provider credentials
- Networking
- Networking overview
- Networking Operators
- Kubernetes NMState Operator
- AWS Load Balancer Operator
- eBPF manager Operator
- External DNS Operator
- External DNS Operator release notes
- Understanding the External DNS Operator
- Installing the External DNS Operator
- External DNS Operator configuration parameters
- Creating DNS records on AWS
- Creating DNS records on Azure
- Creating DNS records on Google Cloud
- Creating DNS records on Infoblox
- Configuring the cluster-wide proxy on the External DNS Operator
- MetalLB Operator
- Cluster Network Operator in OpenShift Container Platform
- DNS Operator in OpenShift Container Platform
- Ingress Operator in OpenShift Container Platform
- Ingress Node Firewall Operator in OpenShift Container Platform
- SR-IOV Operator
- DPU Operator
- Network security
- Multiple networks
- Understanding multiple networks
- Primary networks
- Secondary networks
- Creating secondary networks on OVN-Kubernetes
- Creating secondary networks with other CNI plugins
- Attaching a pod to an additional network
- Configuring multi-network policies
- Removing a pod from an additional network
- Editing an additional network
- Configuring IP address assignment for secondary networks
- Configuring the master interface in the container network namespace
- Removing an additional network
- About virtual routing and forwarding
- Assigning a secondary network to a VRF
- Hardware networks
- About Single Root I/O Virtualization (SR-IOV) hardware networks
- Configuring an SR-IOV network device
- Configuring an SR-IOV Ethernet network attachment
- Configuring an SR-IOV InfiniBand network attachment
- Configuring SriovNetwork in application namespaces
- Configuring an RDMA subsystem for SR-IOV
- Configuring interface-level network sysctl settings and all-multicast mode for SR-IOV networks
- Configuring QinQ support for SR-IOV networks
- Using high performance multicast
- Using DPDK and RDMA
- High availability for pod-level bonds on SR-IOV networks
- Using pod-level bonding for secondary networks
- Configuring hardware offloading
- Switching Bluefield-2 from NIC to DPU mode
- OVN-Kubernetes network plugin
- About the OVN-Kubernetes network plugin
- OVN-Kubernetes architecture
- OVN-Kubernetes troubleshooting
- OVN-Kubernetes traffic tracing
- Converting to IPv4/IPv6 dual stack networking
- Configuring internal subnets
- Configuring a gateway
- Configure an external gateway on the default network
- Configuring an egress IP address
- Configuring an egress service
- Considerations for the use of an egress router pod
- Deploying an egress router pod in redirect mode
- Enabling multicast for a project
- Disabling multicast for a project
- Tracking network flows
- Configuring hybrid networking
- Ingress and load balancing
- Routes
- Configuring ingress cluster traffic
- Overview
- Configuring ExternalIPs for services
- Configuring ingress cluster traffic using an Ingress Controller
- Configuring the Ingress Controller endpoint publishing strategy
- Configuring ingress cluster traffic using a load balancer
- Configuring ingress cluster traffic on AWS
- Configuring ingress cluster traffic using a service external IP
- Configuring ingress cluster traffic using a NodePort
- Configuring ingress cluster traffic using load balancer allowed source ranges
- Patching existing ingress objects
- Allocating load balancers to specific subnets
- Configuring the Ingress Controller for manual DNS management
- Gateway API with OpenShift Container Platform networking
- Load balancing on OpenStack
- Load balancing with MetalLB
- Configuring MetalLB address pools
- Advertising the IP address pools
- Configuring MetalLB BGP peers
- Advertising an IP address pool using the community alias
- Configuring MetalLB BFD profiles
- Configuring services to use MetalLB
- Managing symmetric routing with MetalLB
- Configuring the integration of MetalLB and FRR-K8s
- MetalLB logging, troubleshooting, and support
- Configuring network settings
- Advanced networking
- Kubernetes NMState
- Storage
- Storage overview
- Understanding ephemeral storage
- Understanding persistent storage
- Configuring persistent storage
- Persistent storage using AWS Elastic Block Store
- Persistent storage using Azure Disk
- Persistent storage using Azure File
- Persistent storage using Cinder
- Persistent storage using Fibre Channel
- Persistent storage using FlexVolume
- Persistent storage using GCE Persistent Disk
- Persistent Storage using iSCSI
- Persistent storage using NFS
- Persistent storage using Red Hat OpenShift Data Foundation
- Persistent storage using VMware vSphere
- Persistent storage using local storage
- Using Container Storage Interface (CSI)
- Configuring CSI volumes
- CSI inline ephemeral volumes
- CSI volume snapshots
- CSI volume group snapshots
- CSI volume cloning
- Volume populators
- Managing the default storage class
- CSI automatic migration
- AWS Elastic Block Store CSI Driver Operator
- AWS Elastic File Service CSI Driver Operator
- Azure Disk CSI Driver Operator
- Azure File CSI Driver Operator
- Azure Stack Hub CSI Driver Operator
- GCP PD CSI Driver Operator
- GCP Filestore CSI Driver Operator
- IBM Cloud Block Storage (VPC) CSI Driver Operator
- IBM Power Virtual Server Block Storage CSI Driver Operator
- OpenStack Cinder CSI Driver Operator
- OpenStack Manila CSI Driver Operator
- Secrets Store CSI Driver Operator
- CIFS/SMB CSI Driver Operator
- VMware vSphere CSI Driver Operator
- Generic ephemeral volumes
- Expanding persistent volumes
- Dynamic provisioning
- Detach volumes after non-graceful node shutdown
- Registry
- Registry overview
- Image Registry Operator in OKD
- Setting up and configuring the registry
- Configuring the registry for AWS user-provisioned infrastructure
- Configuring the registry for Google Cloud user-provisioned infrastructure
- Configuring the registry for OpenStack user-provisioned infrastructure
- Configuring the registry for Azure user-provisioned infrastructure
- Configuring the registry for OpenStack
- Configuring the registry for bare metal
- Configuring the registry for vSphere
- Configuring the registry for OpenShift Data Foundation
- Configuring the registry for Nutanix
- Accessing the registry
- Exposing the registry
- Operators
- Operators overview
- Understanding Operators
- User tasks
- Administrator tasks
- Adding Operators to a cluster
- Updating installed Operators
- Deleting Operators from a cluster
- Configuring OLM features
- Configuring proxy support
- Viewing Operator status
- Managing Operator conditions
- Allowing non-cluster administrators to install Operators
- Managing custom catalogs
- Using OLM in disconnected environments
- Catalog source pod scheduling
- Troubleshooting Operator issues
- Developing Operators
- Cluster Operators reference
- OLM v1
- Extensions
- CI/CD
- CI/CD overview
- Builds using BuildConfig
- Understanding image builds
- Understanding build configurations
- Creating build inputs
- Managing build output
- Using build strategies
- Custom image builds with Buildah
- Performing and configuring basic builds
- Triggering and modifying builds
- Performing advanced builds
- Using Red Hat subscriptions in builds
- Securing builds by strategy
- Build configuration resources
- Troubleshooting builds
- Setting up additional trusted certificate authorities for builds
- Images
- Overview of images
- Configuring the Cluster Samples Operator
- Using the Cluster Samples Operator with an alternate registry
- Creating images
- Managing images
- Managing image streams
- Using image streams with Kubernetes resources
- Triggering updates on image stream changes
- Image configuration resources
- Using images
- Building applications
- Building applications overview
- Projects
- Creating applications
- Viewing application composition by using the Topology view
- Exporting applications
- Working with Helm charts
- Deployments
- Quotas
- Using config maps with applications
- Monitoring project and application metrics using the Developer perspective
- Monitoring application health
- Editing applications
- Pruning objects to reclaim resources
- Idling applications
- Deleting applications
- Using the Red Hat Marketplace
- Machine configuration
- Machine configuration overview
- Using machine config objects to configure nodes
- Using node disruption policies to minimize disruption from machine config changes
- Configuring MCO-related custom resources
- Pinning images to nodes
- Boot image management
- Managing unused rendered machine configs
- Image mode for OpenShift
- Machine Config Daemon metrics
- Machine management
- Overview of machine management
- Managing compute machines with the Machine API
- Creating a compute machine set on AWS
- Creating a compute machine set on Azure
- Creating a compute machine set on Azure Stack Hub
- Creating a compute machine set on Google Cloud
- Creating a compute machine set on IBM Cloud
- Creating a compute machine set on IBM Power Virtual Server
- Creating a compute machine set on Nutanix
- Creating a compute machine set on OpenStack
- Creating a compute machine set on vSphere
- Creating a compute machine set on bare metal
- Manually scaling a compute machine set
- Modifying a compute machine set
- Machine phases and lifecycle
- Deleting a machine
- Applying autoscaling to a cluster
- Creating infrastructure machine sets
- Managing user-provisioned infrastructure manually
- Managing control plane machines
- About control plane machine sets
- Getting started with control plane machine sets
- Managing control plane machines with control plane machine sets
- Control plane machine set configuration
- Configuration options for control plane machines
- Control plane configuration options for Amazon Web Services
- Control plane configuration options for Microsoft Azure
- Control plane configuration options for Google Cloud
- Control plane configuration options for Nutanix
- Control plane configuration options for Red Hat OpenStack Platform
- Control plane configuration options for VMware vSphere
- Control plane resiliency and recovery
- Troubleshooting the control plane machine set
- Disabling the control plane machine set
- Manually scaling control plane machines
- Managing machines with the Cluster API
- About the Cluster API
- Getting started with the Cluster API
- Managing machines with the Cluster API
- Configuration options for Cluster API machines
- Cluster API configuration options for Amazon Web Services
- Cluster API configuration options for Google Cloud
- Cluster API configuration options for Microsoft Azure
- Cluster API configuration options for Red Hat OpenStack Platform
- Cluster API configuration options for VMware vSphere
- Cluster API configuration options for bare metal
- Troubleshooting Cluster API clusters
- Disabling the Cluster API
- Deploying machine health checks
- etcd
- Hosted control planes
- Hosted control planes release notes
- Hosted control planes overview
- Preparing to deploy hosted control planes
- Deploying hosted control planes
- Deploying hosted control planes on AWS
- Deploying hosted control planes on bare metal
- Deploying hosted control planes on OpenShift Virtualization
- Deploying hosted control planes on non-bare-metal agent machines
- Deploying hosted control planes on IBM Z
- Deploying hosted control planes on IBM Power
- Deploying hosted control planes on OpenStack
- Managing hosted control planes
- Deploying hosted control planes in a disconnected environment
- Introduction to hosted control planes in a disconnected environment
- Deploying hosted control planes on OpenShift Virtualization in a disconnected environment
- Deploying hosted control planes on bare metal in a disconnected environment
- Deploying hosted control planes on IBM Z in a disconnected environment
- Monitoring user workload in a disconnected environment
- Configuring certificates for hosted control planes
- Updating hosted control planes
- High availability for hosted control planes
- About high availability for hosted control planes
- Recovering a failing etcd cluster
- Backing up and restoring etcd in an on-premise environment
- Backing up and restoring etcd on AWS
- Backing up and restoring a hosted cluster on OpenShift Virtualization
- Disaster recovery for a hosted cluster in AWS
- Disaster recovery for a hosted cluster by using OADP
- Automated disaster recovery for a hosted cluster by using OADP
- Authentication and authorization for hosted control planes
- Handling machine configuration for hosted control planes
- Using feature gates in a hosted cluster
- Observability for hosted control planes
- Networking for hosted control planes
- Troubleshooting hosted control planes
- Destroying a hosted cluster
- Destroying a hosted cluster on AWS
- Destroying a hosted cluster on bare metal
- Destroying a hosted cluster on OpenShift Virtualization
- Destroying a hosted cluster on IBM Z
- Destroying a hosted cluster on IBM Power
- Destroying a hosted cluster on OpenStack
- Destroying a hosted cluster on non-bare-metal agent machines
- Manually importing a hosted cluster
- Nodes
- Overview of nodes
- Working with pods
- About pods
- Viewing pods
- Configuring a cluster for pods
- Automatically scaling pods with the horizontal pod autoscaler
- Automatically adjust pod resource levels with the vertical pod autoscaler
- Adjust pod resource levels without pod disruption
- Providing sensitive data to pods by using secrets
- Providing sensitive data to pods by using an external secrets store
- Authenticating pods with short-term credentials
- Creating and using config maps
- Mounting an OCI image into a pod
- Using Device Manager to make devices available to nodes
- Including pod priority in pod scheduling decisions
- Placing pods on specific nodes using node selectors
- Allocating GPUs to pods
- Running pods in Linux user namespaces
- Automatically scaling pods with the Custom Metrics Autoscaler Operator
- Release notes
- Custom Metrics Autoscaler Operator overview
- Installing the custom metrics autoscaler
- Understanding the custom metrics autoscaler triggers
- Understanding custom metrics autoscaler trigger authentications
- Understanding how to add custom metrics autoscalers
- Pausing the custom metrics autoscaler
- Gathering audit logs
- Gathering debugging data
- Viewing Operator metrics
- Removing the Custom Metrics Autoscaler Operator
- Controlling pod placement onto nodes (scheduling)
- About pod placement using the scheduler
- Scheduling pods using a scheduler profile
- Placing pods relative to other pods using pod affinity and anti-affinity rules
- Controlling pod placement on nodes using node affinity rules
- Placing pods onto overcommited nodes
- Controlling pod placement using node taints
- Placing pods on specific nodes using node selectors
- Controlling pod placement using pod topology spread constraints
- Using jobs and daemon sets
- Working with nodes
- Viewing and listing the nodes in your cluster
- Working with nodes
- Managing nodes
- Adding worker nodes to an on-premise cluster
- Managing the maximum number of pods per node
- Replacing a failed bare-metal control plane node without BMC credentials
- Using the Node Tuning Operator
- Remediating, fencing, and maintaining nodes
- Understanding node rebooting
- Boot image management
- Freeing node resources using garbage collection
- Allocating resources for nodes
- Allocating specific CPUs for nodes in a cluster
- Enabling TLS security profiles for the kubelet
- Creating infrastructure nodes
- Working with containers
- Understanding containers
- Using Init Containers to perform tasks before a pod is deployed
- Using volumes to persist container data
- Mapping volumes using projected volumes
- Allowing containers to consume API objects
- Copying files to or from a container
- Executing remote commands in a container
- Using port forwarding to access applications in a container
- Using sysctls in containers
- Accessing faster builds with /dev/fuse
- Working with clusters
- Node metrics dashboard
- Manage secure signatures with sigstore
- Windows Container Support for OpenShift
- Red Hat OpenShift support for Windows Containers overview
- Release notes
- Understanding Windows container workloads
- Enabling Windows container workloads
- Creating Windows machine sets
- Scheduling Windows container workloads
- Windows node updates
- Using Bring-Your-Own-Host Windows instances as nodes
- Removing Windows nodes
- Disabling Windows container workloads
- Observability
- Observability overview
- Cluster Observability Operator
- Monitoring
- Logging
- Network Observability
- Network Observability Operator release notes
- Network Observability Operator release notes archive
- Network observability overview
- Installing the Network Observability Operator
- Understanding Network Observability Operator
- Configuring the Network Observability Operator
- Network Policy
- Observing the network traffic
- Network observability alerts
- Using metrics with dashboards and alerts
- Monitoring the Network Observability Operator
- Scheduling resources
- Secondary networks
- Network Observability CLI
- FlowCollector API reference
- FlowMetric API reference
- Flows format reference
- Troubleshooting network observability
- Power Monitoring
- Scalability and performance
- Scalability and performance overview
- Recommended performance and scalability practices
- Telco core reference design specifications
- Telco RAN DU reference design specifications
- Telco hub reference design specifications
- Comparing cluster configurations
- Planning your environment according to object maximums
- Compute Resource Quotas
- Using the Node Tuning Operator
- Using CPU Manager and Topology Manager
- Scheduling NUMA-aware workloads
- Scalability and performance optimization
- Managing bare metal hosts
- What huge pages do and how they are consumed by apps
- Understanding low latency
- Tuning nodes for low latency with the performance profile
- Tuning hosted control planes for low latency with the performance profile
- Provisioning real-time and low latency workloads
- Debugging low latency tuning
- Performing latency tests for platform verification
- Improving cluster stability in high latency environments using worker latency profiles
- Workload partitioning
- Using the Node Observability Operator
- Edge computing
- Challenges of the network far edge
- Preparing the hub cluster for ZTP
- Updating GitOps ZTP
- Installing managed clusters with RHACM and SiteConfig resources
- Manually installing a single-node OpenShift cluster with GitOps ZTP
- Migrating from SiteConfig CRs to ClusterInstance CRs
- Recommended single-node OpenShift cluster configuration for vDU application workloads
- Validating cluster tuning for vDU application workloads
- Advanced managed cluster configuration with SiteConfig resources
- Managing cluster policies with PolicyGenerator resources
- Managing cluster policies with PolicyGenTemplate resources
- Using hub templates in PolicyGenerator or PolicyGenTemplate CRs
- Updating managed clusters with the Topology Aware Lifecycle Manager
- Expanding single-node OpenShift clusters with GitOps ZTP
- Pre-caching images for single-node OpenShift deployments
- Image-based upgrade for single-node OpenShift clusters
- Understanding the image-based upgrade for single-node OpenShift clusters
- Preparing for an image-based upgrade for single-node OpenShift clusters
- Configuring a shared container partition for the image-based upgrade
- Installing Operators for the image-based upgrade
- Generating a seed image for the image-based upgrade with the Lifecycle Agent
- Creating ConfigMap objects for the image-based upgrade with the Lifecycle Agent
- Creating ConfigMap objects for the image-based upgrade with Lifecycle Agent using GitOps ZTP
- Configuring the automatic image cleanup of the container storage disk
- Performing an image-based upgrade for single-node OpenShift clusters with the Lifecycle Agent
- Performing an image-based upgrade for single-node OpenShift clusters using GitOps ZTP
- Image-based installation for single-node OpenShift
- Day 2 operations for telco core CNF clusters
- Specialized hardware and driver enablement
- Hardware accelerators
- Backup and restore
- Overview of backup and restore operations
- Shutting down a cluster gracefully
- Restarting a cluster gracefully
- Hibernating a cluster
- OADP Application backup and restore
- Introduction to OpenShift API for Data Protection
- OADP release notes
- OADP performance
- OADP features and plugins
- OADP use cases
- Installing OADP
- Configuring OADP with AWS S3 compatible storage
- Configuring OADP with IBM Cloud
- Configuring OADP with Azure
- Configuring OADP with Google Cloud
- Configuring OADP with MCG
- Configuring OADP with ODF
- Configuring OADP with OpenShift Virtualization
- Configuring OADP with multiple backup storage locations
- Configuring OADP with multiple Volume Snapshot Locations
- Uninstalling OADP
- OADP backing up
- OADP restoring
- OADP Self-Service
- OADP and ROSA
- OADP and AWS STS
- OADP and 3scale
- OADP Data Mover
- OADP API
- Advanced OADP features and functionalities
- OADP troubleshooting
- Troubleshooting OADP
- Velero CLI tool
- Pods crash or restart due to lack of memory or CPU
- Restoring workarounds for Velero backups that use admission webhooks
- OADP installation issues
- OADP Operator issues
- OADP timeouts
- Backup and Restore CR issues
- Restic issues
- OADP Data protection test
- Using the must-gather tool
- OADP monitoring
- Control plane backup and restore
- Migrating from version 3 to 4
- Migrating from version 3 to 4 overview
- About migrating from OKD 3 to 4
- Differences between OKD 3 and 4
- Network considerations
- About MTC
- Installing MTC
- Installing MTC in a disconnected environment
- Upgrading MTC
- Premigration checklists
- Migrating your applications
- Advanced migration options
- Troubleshooting
- Migration Toolkit for Containers
- API reference
- API overview
- Common object reference
- Authorization APIs
- About Authorization APIs
- LocalResourceAccessReview [authorization.openshift.io/v1]
- LocalSubjectAccessReview [authorization.openshift.io/v1]
- ResourceAccessReview [authorization.openshift.io/v1]
- SelfSubjectRulesReview [authorization.openshift.io/v1]
- SubjectAccessReview [authorization.openshift.io/v1]
- SubjectRulesReview [authorization.openshift.io/v1]
- SelfSubjectReview [authentication.k8s.io/v1]
- TokenRequest [authentication.k8s.io/v1]
- TokenReview [authentication.k8s.io/v1]
- LocalSubjectAccessReview [authorization.k8s.io/v1]
- SelfSubjectAccessReview [authorization.k8s.io/v1]
- SelfSubjectRulesReview [authorization.k8s.io/v1]
- SubjectAccessReview [authorization.k8s.io/v1]
- Autoscale APIs
- Cluster APIs
- Config APIs
- About Config APIs
- APIServer [config.openshift.io/v1]
- Authentication [config.openshift.io/v1]
- Build [config.openshift.io/v1]
- ClusterImagePolicy [config.openshift.io/v1]
- ClusterOperator [config.openshift.io/v1]
- ClusterVersion [config.openshift.io/v1]
- Console [config.openshift.io/v1]
- DNS [config.openshift.io/v1]
- FeatureGate [config.openshift.io/v1]
- HelmChartRepository [helm.openshift.io/v1beta1]
- Image [config.openshift.io/v1]
- ImageDigestMirrorSet [config.openshift.io/v1]
- ImageContentPolicy [config.openshift.io/v1]
- ImagePolicy [config.openshift.io/v1]
- ImageTagMirrorSet [config.openshift.io/v1]
- Infrastructure [config.openshift.io/v1]
- Ingress [config.openshift.io/v1]
- Network [config.openshift.io/v1]
- Node [config.openshift.io/v1]
- OAuth [config.openshift.io/v1]
- OperatorHub [config.openshift.io/v1]
- Project [config.openshift.io/v1]
- ProjectHelmChartRepository [helm.openshift.io/v1beta1]
- Proxy [config.openshift.io/v1]
- Scheduler [config.openshift.io/v1]
- Console APIs
- About Console APIs
- ConsoleCLIDownload [console.openshift.io/v1]
- ConsoleExternalLogLink [console.openshift.io/v1]
- ConsoleLink [console.openshift.io/v1]
- ConsoleNotification [console.openshift.io/v1]
- ConsolePlugin [console.openshift.io/v1]
- ConsoleQuickStart [console.openshift.io/v1]
- ConsoleSample [console.openshift.io/v1]
- ConsoleYAMLSample [console.openshift.io/v1]
- Extension APIs
- About Extension APIs
- APIService [apiregistration.k8s.io/v1]
- CustomResourceDefinition [apiextensions.k8s.io/v1]
- MutatingWebhookConfiguration [admissionregistration.k8s.io/v1]
- ValidatingAdmissionPolicy [admissionregistration.k8s.io/v1]
- ValidatingAdmissionPolicyBinding [admissionregistration.k8s.io/v1]
- ValidatingWebhookConfiguration [admissionregistration.k8s.io/v1]
- Image APIs
- About Image APIs
- Image [image.openshift.io/v1]
- ImageSignature [image.openshift.io/v1]
- ImageStreamImage [image.openshift.io/v1]
- ImageStreamImport [image.openshift.io/v1]
- ImageStreamLayers [image.openshift.io/v1]
- ImageStreamMapping [image.openshift.io/v1]
- ImageStream [image.openshift.io/v1]
- ImageStreamTag [image.openshift.io/v1]
- ImageTag [image.openshift.io/v1]
- SecretList [image.openshift.io/v1]
- Machine APIs
- About Machine APIs
- ContainerRuntimeConfig [machineconfiguration.openshift.io/v1]
- ControllerConfig [machineconfiguration.openshift.io/v1]
- ControlPlaneMachineSet [machine.openshift.io/v1]
- KubeletConfig [machineconfiguration.openshift.io/v1]
- MachineConfig [machineconfiguration.openshift.io/v1]
- MachineConfigPool [machineconfiguration.openshift.io/v1]
- MachineHealthCheck [machine.openshift.io/v1beta1]
- Machine [machine.openshift.io/v1beta1]
- MachineSet [machine.openshift.io/v1beta1]
- MachineConfigNode [machineconfiguration.openshift.io/v1]
- MachineOSBuild [machineconfiguration.openshift.io/v1]
- MachineOSConfig [machineconfiguration.openshift.io/v1]
- PinnedImageSet [machineconfiguration.openshift.io/v1]
- Metadata APIs
- Monitoring APIs
- About Monitoring APIs
- Alertmanager [monitoring.coreos.com/v1]
- AlertmanagerConfig [monitoring.coreos.com/v1beta1]
- AlertRelabelConfig [monitoring.openshift.io/v1]
- AlertingRule [monitoring.openshift.io/v1]
- PodMonitor [monitoring.coreos.com/v1]
- Probe [monitoring.coreos.com/v1]
- Prometheus [monitoring.coreos.com/v1]
- PrometheusRule [monitoring.coreos.com/v1]
- ServiceMonitor [monitoring.coreos.com/v1]
- ThanosRuler [monitoring.coreos.com/v1]
- NodeMetrics [metrics.k8s.io/v1beta1]
- PodMetrics [metrics.k8s.io/v1beta1]
- Network APIs
- About Network APIs
- ClusterUserDefinedNetwork [k8s.ovn.org/v1]
- AdminNetworkPolicy [policy.networking.k8s.io/v1alpha1]
- AdminPolicyBasedExternalRoute [k8s.ovn.org/v1]
- BaselineAdminNetworkPolicy [policy.networking.k8s.io/v1alpha1]
- CloudPrivateIPConfig [cloud.network.openshift.io/v1]
- EgressFirewall [k8s.ovn.org/v1]
- EgressIP [k8s.ovn.org/v1]
- EgressQoS [k8s.ovn.org/v1]
- EgressService [k8s.ovn.org/v1]
- Endpoints [undefined/v1]
- EndpointSlice [discovery.k8s.io/v1]
- EgressRouter [network.operator.openshift.io/v1]
- GRPCRoute [gateway.networking.k8s.io/v1]
- Gateway [gateway.networking.k8s.io/v1]
- GatewayClass [gateway.networking.k8s.io/v1]
- HTTPRoute [gateway.networking.k8s.io/v1]
- Ingress [networking.k8s.io/v1]
- IngressClass [networking.k8s.io/v1]
- IPAddress [networking.k8s.io/v1]
- IPAMClaim [k8s.cni.cncf.io/v1alpha1]
- IPPool [whereabouts.cni.cncf.io/v1alpha1]
- MultiNetworkPolicy [k8s.cni.cncf.io/v1beta1]
- NetworkAttachmentDefinition [k8s.cni.cncf.io/v1]
- NetworkPolicy [networking.k8s.io/v1]
- NodeSlicePool [whereabouts.cni.cncf.io/v1alpha1]
- OverlappingRangeIPReservation [whereabouts.cni.cncf.io/v1alpha1]
- PodNetworkConnectivityCheck [controlplane.operator.openshift.io/v1alpha1]
- ReferenceGrant [gateway.networking.k8s.io/v1beta1]
- Route [route.openshift.io/v1]
- Service [undefined/v1]
- ServiceCIDR [networking.k8s.io/v1]
- IPAddressClaim [ipam.cluster.x-k8s.io/v1beta1]
- UserDefinedNetwork [k8s.ovn.org/v1]
- Node APIs
- OAuth APIs
- Operator APIs
- About Operator APIs
- Authentication [operator.openshift.io/v1]
- CloudCredential [operator.openshift.io/v1]
- ClusterCSIDriver [operator.openshift.io/v1]
- Console [operator.openshift.io/v1]
- Config [operator.openshift.io/v1]
- Config [imageregistry.operator.openshift.io/v1]
- Config [samples.operator.openshift.io/v1]
- CSISnapshotController [operator.openshift.io/v1]
- DNS [operator.openshift.io/v1]
- DNSRecord [ingress.operator.openshift.io/v1]
- Etcd [operator.openshift.io/v1]
- ImageContentSourcePolicy [operator.openshift.io/v1alpha1]
- ImagePruner [imageregistry.operator.openshift.io/v1]
- IngressController [operator.openshift.io/v1]
- InsightsOperator [operator.openshift.io/v1]
- KubeAPIServer [operator.openshift.io/v1]
- KubeControllerManager [operator.openshift.io/v1]
- KubeScheduler [operator.openshift.io/v1]
- KubeStorageVersionMigrator [operator.openshift.io/v1]
- MachineConfiguration [operator.openshift.io/v1]
- Network [operator.openshift.io/v1]
- OpenShiftAPIServer [operator.openshift.io/v1]
- OpenShiftControllerManager [operator.openshift.io/v1]
- OperatorPKI [network.operator.openshift.io/v1]
- ServiceCA [operator.openshift.io/v1]
- Storage [operator.openshift.io/v1]
- OperatorHub APIs
- About OperatorHub APIs
- CatalogSource [operators.coreos.com/v1alpha1]
- ClusterCatalog [olm.operatorframework.io/v1]
- ClusterExtension [olm.operatorframework.io/v1]
- ClusterServiceVersion [operators.coreos.com/v1alpha1]
- InstallPlan [operators.coreos.com/v1alpha1]
- OLMConfig [operators.coreos.com/v1]
- Operator [operators.coreos.com/v1]
- OperatorCondition [operators.coreos.com/v2]
- OperatorGroup [operators.coreos.com/v1]
- PackageManifest [packages.operators.coreos.com/v1]
- Subscription [operators.coreos.com/v1alpha1]
- Policy APIs
- Project APIs
- Provisioning APIs
- About Provisioning APIs
- BMCEventSubscription [metal3.io/v1alpha1]
- BareMetalHost [metal3.io/v1alpha1]
- DataImage [metal3.io/v1alpha1]
- FirmwareSchema [metal3.io/v1alpha1]
- HardwareData [metal3.io/v1alpha1]
- HostFirmwareComponents [metal3.io/v1alpha1]
- HostFirmwareSettings [metal3.io/v1alpha1]
- HostUpdatePolicy [metal3.io/v1alpha1]
- Metal3Remediation [infrastructure.cluster.x-k8s.io/v1beta1]
- Metal3RemediationTemplate [infrastructure.cluster.x-k8s.io/v1beta1]
- PreprovisioningImage [metal3.io/v1alpha1]
- Provisioning [metal3.io/v1alpha1]
- RBAC APIs
- Role APIs
- Schedule and quota APIs
- About Schedule and quota APIs
- AppliedClusterResourceQuota [quota.openshift.io/v1]
- ClusterResourceQuota [quota.openshift.io/v1]
- FlowSchema [flowcontrol.apiserver.k8s.io/v1]
- LimitRange [undefined/v1]
- PriorityClass [scheduling.k8s.io/v1]
- PriorityLevelConfiguration [flowcontrol.apiserver.k8s.io/v1]
- ResourceQuota [undefined/v1]
- Security APIs
- About Security APIs
- CertificateSigningRequest [certificates.k8s.io/v1]
- CredentialsRequest [cloudcredential.openshift.io/v1]
- PodSecurityPolicyReview [security.openshift.io/v1]
- PodSecurityPolicySelfSubjectReview [security.openshift.io/v1]
- PodSecurityPolicySubjectReview [security.openshift.io/v1]
- RangeAllocation [security.openshift.io/v1]
- Secret [undefined/v1]
- SecurityContextConstraints [security.openshift.io/v1]
- ServiceAccount [undefined/v1]
- Storage APIs
- About Storage APIs
- CSIDriver [storage.k8s.io/v1]
- CSINode [storage.k8s.io/v1]
- CSIStorageCapacity [storage.k8s.io/v1]
- PersistentVolume [undefined/v1]
- PersistentVolumeClaim [undefined/v1]
- StorageClass [storage.k8s.io/v1]
- StorageState [migration.k8s.io/v1alpha1]
- StorageVersionMigration [migration.k8s.io/v1alpha1]
- VolumeAttachment [storage.k8s.io/v1]
- VolumePopulator [populator.storage.k8s.io/v1beta1]
- VolumeSnapshot [snapshot.storage.k8s.io/v1]
- VolumeSnapshotClass [snapshot.storage.k8s.io/v1]
- VolumeSnapshotContent [snapshot.storage.k8s.io/v1]
- Template APIs
- User and group APIs
- Workloads APIs
- About Workloads APIs
- BuildConfig [build.openshift.io/v1]
- Build [build.openshift.io/v1]
- BuildLog [build.openshift.io/v1]
- BuildRequest [build.openshift.io/v1]
- CronJob [batch/v1]
- DaemonSet [apps/v1]
- Deployment [apps/v1]
- DeploymentConfig [apps.openshift.io/v1]
- DeploymentConfigRollback [apps.openshift.io/v1]
- DeploymentLog [apps.openshift.io/v1]
- DeploymentRequest [apps.openshift.io/v1]
- Job [batch/v1]
- Pod [undefined/v1]
- ReplicationController [undefined/v1]
- ReplicaSet [apps/v1]
- StatefulSet [apps/v1]
- Virtualization
- About
- Getting started
- Installing
- Postinstallation configuration
- Updating
- Creating a virtual machine
- Advanced VM creation
- Managing VMs
- Listing virtual machines
- Installing the QEMU guest agent and VirtIO drivers
- Connecting to VM consoles
- Configuring SSH access to VMs
- Editing virtual machines
- Editing boot order
- Deleting virtual machines
- Enabling or disabling virtual machine delete protection
- Exporting virtual machines
- Managing virtual machine instances
- Controlling virtual machine states
- Using virtual Trusted Platform Module devices
- Managing virtual machines with OpenShift Pipelines
- Migrating VMs in a single cluster to a different storage class
- Advanced virtual machine management
- Working with resource quotas for virtual machines
- Configuring the Application-Aware Quota Operator
- Specifying nodes for virtual machines
- Configuring the default CPU model
- UEFI mode for virtual machines
- Configuring PXE booting for virtual machines
- Using huge pages with virtual machines
- Enabling dedicated resources for a virtual machine
- Scheduling virtual machines
- Configuring PCI passthrough
- Configuring virtual GPUs
- Configuring USB host passthrough
- Enabling descheduler evictions on virtual machines
- About high availability for virtual machines
- Control plane tuning
- Assigning compute resources
- About multi-queue functionality
- Managing virtual machines by using OpenShift GitOps
- Working with NUMA topology for virtual machines
- VM disks
- Networking
- Networking configuration overview
- Connecting a VM to the default pod network
- Connecting a VM to a primary user-defined network
- Connecting a VM to a secondary localnet user-defined network
- Exposing a VM by using a service
- Accessing a VM by using its internal FQDN
- Connecting a VM to a Linux bridge network
- Connecting a VM to an SR-IOV network
- Using DPDK with SR-IOV
- Connecting a VM to an OVN-Kubernetes layer 2 secondary network
- Hot plugging secondary network interfaces
- Setting VM interface link state
- Connecting a VM to a service mesh
- Configuring a dedicated network for live migration
- Configuring and viewing IP addresses
- Accessing a VM by using its external FQDN
- Managing MAC address pools for network interfaces
- Storage
- Storage configuration overview
- Configuring storage profiles
- Managing automatic boot source updates
- Reserving PVC space for file system overhead
- Configuring local storage by using HPP
- Enabling user permissions to clone data volumes across namespaces
- Configuring CDI to override CPU and memory quotas
- Preparing CDI scratch space
- Using preallocation for data volumes
- Managing data volume annotations
- Understanding virtual machine storage with the CSI paradigm
- Using OpenShift Virtualization with IBM Fusion Access for SAN
- Live migration
- Nodes
- Monitoring
- Support
- Backup and restore
×
Creating advanced routes
- Creating an edge route with a custom certificate
- Creating a re-encrypt route with a custom certificate
- Creating a passthrough route
- Creating a route using the destination CA certificate in the Ingress annotation
- Creating a route with externally managed certificates
- Creating a route using the default certificate through an Ingress object
You can create secure routes with the ability to use several types of TLS termination to serve certificates to the client. The following sections describe how to create re-encrypt, edge, and passthrough routes with custom certificates.
Creating an edge route with a custom certificate
You can configure a secure route using edge TLS termination with a custom certificate by using the oc create route command. With an edge route, the Ingress Controller terminates TLS encryption before forwarding traffic to the destination pod. The route specifies the TLS certificate and key that the Ingress Controller uses for the route.
This procedure creates a Route resource with a custom certificate and edge TLS termination. The following assumes that the certificate/key pair are in the tls.crt and tls.key files in the current working directory. You may also specify a CA certificate if needed to complete the certificate chain. Substitute the actual path names for tls.crt, tls.key, and (optionally) ca.crt. Substitute the name of the service that you want to expose for frontend. Substitute the appropriate hostname for www.example.com.
Prerequisites
-
You must have a certificate/key pair in PEM-encoded files, where the certificate is valid for the route host.
-
You may have a separate CA certificate in a PEM-encoded file that completes the certificate chain.
-
You must have a service that you want to expose.
|
Password protected key files are not supported. To remove a passphrase from a key file, use the following command: |
Procedure
-
Create a secure
Routeresource using edge TLS termination and a custom certificate.$ oc create route edge --service=frontend --cert=tls.crt --key=tls.key --ca-cert=ca.crt --hostname=www.example.comIf you examine the resulting
Routeresource, it should look similar to the following:YAML Definition of the Secure RouteapiVersion: route.openshift.io/v1 kind: Route metadata: name: frontend spec: host: www.example.com to: kind: Service name: frontend tls: termination: edge key: |- -----BEGIN PRIVATE KEY----- [...] -----END PRIVATE KEY----- certificate: |- -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- caCertificate: |- -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE-----See
oc create route edge --helpfor more options.
Creating a re-encrypt route with a custom certificate
You can configure a secure route using re-encrypt TLS termination with a custom certificate by using the oc create route command.
This procedure creates a Route resource with a custom certificate and reencrypt TLS termination. The following assumes that the certificate/key pair are in the tls.crt and tls.key files in the current working directory. You must also specify a destination CA certificate to enable the Ingress Controller to trust the service’s certificate. You may also specify a CA certificate if needed to complete the certificate chain. Substitute the actual path names for tls.crt, tls.key, cacert.crt, and (optionally) ca.crt. Substitute the name of the Service resource that you want to expose for frontend. Substitute the appropriate hostname for www.example.com.
Prerequisites
-
You must have a certificate/key pair in PEM-encoded files, where the certificate is valid for the route host.
-
You may have a separate CA certificate in a PEM-encoded file that completes the certificate chain.
-
You must have a separate destination CA certificate in a PEM-encoded file.
-
You must have a service that you want to expose.
|
Password protected key files are not supported. To remove a passphrase from a key file, use the following command: |
Procedure
-
Create a secure
Routeresource using reencrypt TLS termination and a custom certificate:$ oc create route reencrypt --service=frontend --cert=tls.crt --key=tls.key --dest-ca-cert=destca.crt --ca-cert=ca.crt --hostname=www.example.comIf you examine the resulting
Routeresource, it should look similar to the following:YAML Definition of the Secure RouteapiVersion: route.openshift.io/v1 kind: Route metadata: name: frontend spec: host: www.example.com to: kind: Service name: frontend tls: termination: reencrypt key: |- -----BEGIN PRIVATE KEY----- [...] -----END PRIVATE KEY----- certificate: |- -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- caCertificate: |- -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- destinationCACertificate: |- -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE-----See
oc create route reencrypt --helpfor more options.
Creating a passthrough route
You can configure a secure route using passthrough termination by using the oc create route command. With passthrough termination, encrypted traffic is sent straight to the destination without the router providing TLS termination. Therefore no key or certificate is required on the route.
Prerequisites
-
You must have a service that you want to expose.
Procedure
-
Create a
Routeresource:$ oc create route passthrough route-passthrough-secured --service=frontend --port=8080If you examine the resulting
Routeresource, it should look similar to the following:A Secured Route Using Passthrough TerminationapiVersion: route.openshift.io/v1 kind: Route metadata: name: route-passthrough-secured (1) spec: host: www.example.com port: targetPort: 8080 tls: termination: passthrough (2) insecureEdgeTerminationPolicy: None (3) to: kind: Service name: frontend1 The name of the object, which is limited to 63 characters. 2 The terminationfield is set topassthrough. This is the only requiredtlsfield.3 Optional insecureEdgeTerminationPolicy. The only valid values areNone,Redirect, or empty for disabled.The destination pod is responsible for serving certificates for the traffic at the endpoint. This is currently the only method that can support requiring client certificates, also known as two-way authentication.
Creating a route using the destination CA certificate in the Ingress annotation
The route.openshift.io/destination-ca-certificate-secret annotation can be used on an Ingress object to define a route with a custom destination CA certificate.
Prerequisites
-
You may have a certificate/key pair in PEM-encoded files, where the certificate is valid for the route host.
-
You may have a separate CA certificate in a PEM-encoded file that completes the certificate chain.
-
You must have a separate destination CA certificate in a PEM-encoded file.
-
You must have a service that you want to expose.
Procedure
-
Create a secret for the destination CA certificate by entering the following command:
$ oc create secret generic dest-ca-cert --from-file=tls.crt=<file_path>For example:
$ oc -n test-ns create secret generic dest-ca-cert --from-file=tls.crt=tls.crtExample outputsecret/dest-ca-cert created -
Add the
route.openshift.io/destination-ca-certificate-secretto the Ingress annotations:apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: frontend annotations: route.openshift.io/termination: "reencrypt" route.openshift.io/destination-ca-certificate-secret: secret-ca-cert (1) ...1 The annotation references a kubernetes secret. -
The secret referenced in this annotation will be inserted into the generated route.
Example outputapiVersion: route.openshift.io/v1 kind: Route metadata: name: frontend annotations: route.openshift.io/termination: reencrypt route.openshift.io/destination-ca-certificate-secret: secret-ca-cert spec: ... tls: insecureEdgeTerminationPolicy: Redirect termination: reencrypt destinationCACertificate: | -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- ...
Creating a route with externally managed certificates
You can configure OKD routes with third-party certificate management solutions by using the .spec.tls.externalCertificate field of the route API. You can reference externally managed TLS certificates via secrets, eliminating the need for manual certificate management.
By using the externally managed certificate, you can reduce errors to ensure a smoother rollout of certificate updates and enable the OpenShift router to serve renewed certificates promptly. You can use externally managed certificates with both edge routes and re-encrypt routes.
Prerequisites
-
You must have a secret containing a valid certificate or key pair in PEM-encoded format of type
kubernetes.io/tls, which includes bothtls.keyandtls.crtkeys. Example command:$ oc create secret tls myapp-tls --cert=server.crt --key=server.key.
Procedure
-
Create a
roleobject in the same namespace as the secret to allow the router service account read access by running the following command:$ oc create role secret-reader --verb=get,list,watch --resource=secrets --resource-name=<secret-name> \ --namespace=<current-namespace>-
<secret-name>: Specify the actual name of your secret. -
<current-namespace>: Specify the namespace where both your secret and route reside.
-
-
Create a
rolebindingobject in the same namespace as the secret and bind the router service account to the newly created role by running the following command:$ oc create rolebinding secret-reader-binding --role=secret-reader --serviceaccount=openshift-ingress:router --namespace=<current-namespace>-
<current-namespace>: Specify the namespace where both your secret and route reside.
-
-
Create a YAML file that defines the
routeand specifies the secret containing your certificate using the following example.YAML definition of the secure routeapiVersion: route.openshift.io/v1 kind: Route metadata: name: myedge namespace: test spec: host: myedge-test.apps.example.com tls: externalCertificate: name: <secret-name> termination: edge [...] [...]-
<secret-name>: Specify the actual name of your secret.
-
-
Create a
routeresource by running the following command:$ oc apply -f <route.yaml>-
<route.yaml>: Specify the generated YAML filename.If the secret exists and has a certificate/key pair, the router will serve the generated certificate if all prerequisites are met.
If
.spec.tls.externalCertificateis not provided, the router uses default generated certificates.You cannot provide the
.spec.tls.certificatefield or the.spec.tls.keyfield when using the.spec.tls.externalCertificatefield.
-
Creating a route using the default certificate through an Ingress object
If you create an Ingress object without specifying any TLS configuration, OKD generates an insecure route. To create an Ingress object that generates a secure, edge-terminated route using the default ingress certificate, you can specify an empty TLS configuration as follows.
Prerequisites
-
You have a service that you want to expose.
-
You have access to the OpenShift CLI (
oc).
Procedure
-
Create a YAML file for the Ingress object. In this example, the file is called
example-ingress.yaml:YAML definition of an Ingress objectapiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: frontend ... spec: rules: ... tls: - {} (1)1 Use this exact syntax to specify TLS without specifying a custom certificate. -
Create the Ingress object by running the following command:
$ oc create -f example-ingress.yaml
Verification
-
Verify that OKD has created the expected route for the Ingress object by running the following command:
$ oc get routes -o yamlExample outputapiVersion: v1 items: - apiVersion: route.openshift.io/v1 kind: Route metadata: name: frontend-j9sdd (1) ... spec: ... tls: (2) insecureEdgeTerminationPolicy: Redirect termination: edge (3) ...1 The name of the route includes the name of the Ingress object followed by a random suffix. 2 In order to use the default certificate, the route should not specify spec.certificate.3 The route should specify the edgetermination policy.