Reputation: 2487
A new and (almost) effective way to update routes and allow external access
This is a procedure I tried to use to update all the routes of an already installed cluster to allow external access to it.
The procedure below seems very viable to me, but we have been having some problems so I would like your help to solve this big problem that has been consuming me for days... =|
PROCEDURES:
I found all namespaces that have routes...
[root@okd4-services okd_bare_metal]# oc get routes --all-namespaces
NAMESPACE NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
openshift-authentication oauth-openshift oauth-openshift.apps.mbr.okd.local oauth-openshift 6443 passthrough/Redirect None
openshift-console console console-openshift-console.apps.mbr.okd.local console https reencrypt/Redirect None
openshift-console downloads downloads-openshift-console.apps.mbr.okd.local downloads http edge/Redirect None
openshift-ingress-canary canary canary-openshift-ingress-canary.apps.mbr.okd.local ingress-canary 8080 edge/Redirect None
openshift-monitoring alertmanager-main alertmanager-main-openshift-monitoring.apps.mbr.okd.local alertmanager-main web reencrypt/Redirect None
openshift-monitoring grafana grafana-openshift-monitoring.apps.mbr.okd.local grafana https reencrypt/Redirect None
openshift-monitoring prometheus-k8s prometheus-k8s-openshift-monitoring.apps.mbr.okd.local prometheus-k8s web reencrypt/Redirect None
openshift-monitoring thanos-querier thanos-querier-openshift-monitoring.apps.mbr.okd.local thanos-querier web reencrypt/Redirect None
I found all the resources related to each namespace and took note of the route configuration paths...
[root@okd4-services okd_bare_metal]# oc -n openshift-authentication get all
[...]
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
route.route.openshift.io/oauth-openshift oauth-openshift.apps.mbr.okd.local oauth-openshift 6443 passthrough/Redirect None
[root@okd4-services okd_bare_metal]# oc -n openshift-console get all
[...]
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
route.route.openshift.io/console console-openshift-console.apps.mbr.okd.local console https reencrypt/Redirect None
route.route.openshift.io/downloads downloads-openshift-console.apps.mbr.okd.local downloads http edge/Redirect None
[root@okd4-services okd_bare_metal]# oc -n openshift-ingress-canary get all
[...]
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
route.route.openshift.io/canary canary-openshift-ingress-canary.apps.mbr.okd.local ingress-canary 8080 edge/Redirect None
[root@okd4-services okd_bare_metal]# oc -n openshift-monitoring get all
[...]
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
route.route.openshift.io/alertmanager-main alertmanager-main-openshift-monitoring.apps.mbr.okd.local alertmanager-main web reencrypt/Redirect None
route.route.openshift.io/grafana grafana-openshift-monitoring.apps.mbr.okd.local grafana https reencrypt/Redirect None
route.route.openshift.io/prometheus-k8s prometheus-k8s-openshift-monitoring.apps.mbr.okd.local prometheus-k8s web reencrypt/Redirect None
route.route.openshift.io/thanos-querier thanos-querier-openshift-monitoring.apps.mbr.okd.local thanos-querier web reencrypt/Redirect None
In each route I updated the host property to a new domain...
oc edit -n openshift-console route.route.openshift.io/console
oc edit -n openshift-console route.route.openshift.io/downloads
oc edit -n openshift-ingress-canary route.route.openshift.io/canary
oc edit -n openshift-monitoring route.route.openshift.io/alertmanager-main
oc edit -n openshift-monitoring route.route.openshift.io/grafana
oc edit -n openshift-monitoring route.route.openshift.io/prometheus-k8s
oc edit -n openshift-monitoring route.route.openshift.io/thanos-querier
In other words, I modified something like this...
apiVersion: route.openshift.io/v1
kind: Route
metadata:
[...]
spec:
host: route-name.apps.mbr.okd.local
[...]
status:
[...]
host: route-name.apps.mbr.okd.local
[...]
... to something like this...
apiVersion: route.openshift.io/v1
kind: Route
metadata:
[...]
spec:
host: route-name.apps.mbr.mydomain.net
[...]
status:
[...]
host: route-name.apps.mbr.mydomain.net
[...]
In the case of the route route.route.openshift.io/oauth-openshift I needed to modify the ingress...
oc edit ingress.config.openshift.io
... modifing the domain property from something like this...
apiVersion: config.openshift.io/v1
kind: Ingress
metadata:
[...]
spec:
domain: apps.mbr.okd.local
[...]
... to something like this...
apiVersion: config.openshift.io/v1
kind: Ingress
metadata:
[...]
spec:
domain: apps.mbr.mydomain.net
[...]
After doing the above procedures all my routes were updated to the new domain...
[root@okd4-services okd_bare_metal]# oc get routes --all-namespaces
NAMESPACE NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
openshift-authentication oauth-openshift oauth-openshift.apps.mbr.mydomain.net oauth-openshift 6443 passthrough/Redirect None
openshift-console console console-openshift-console.apps.mbr.mydomain.net console https reencrypt/Redirect None
openshift-console downloads downloads-openshift-console.apps.mbr.mydomain.net downloads http edge/Redirect None
openshift-ingress-canary canary canary-openshift-ingress-canary.apps.mbr.mydomain.net ingress-canary 8080 edge/Redirect None
openshift-monitoring alertmanager-main alertmanager-main-openshift-monitoring.apps.mbr.mydomain.net alertmanager-main web reencrypt/Redirect None
openshift-monitoring grafana grafana-openshift-monitoring.apps.mbr.mydomain.net grafana https reencrypt/Redirect None
openshift-monitoring prometheus-k8s prometheus-k8s-openshift-monitoring.apps.mbr.mydomain.net prometheus-k8s web reencrypt/Redirect None
openshift-monitoring thanos-querier thanos-querier-openshift-monitoring.apps.mbr.mydomain.net thanos-querier web reencrypt/Redirect None
PROBLEMS:
However the following new problems arose...
I can access the new Web Console route...
https://console-openshift-console.apps.mbr.mydomain.net/
... and it redirects to the route below (old domain)...
https://oauth-openshift.apps.mbr.okd.local/oauth/authorize?client_id=console&redirect_uri=https%3A%2F%2Fconsole-openshift-console.apps.mbr.mydomain.net%2Fauth%2Fcallback&response_type=code&scope=user%3Afull&state=3ba1134a
... but we can use the new route...
https://oauth-openshift.apps.mbr.mydomain.net/oauth/authorize?client_id=console&redirect_uri=https%3A%2F%2Fconsole-openshift-console.apps.mbr.mydomain.net%2Fauth%2Fcallback&response_type=code&scope=user%3Afull&state=3ba1134a
...so great works...
... I enter the login, password, click on Log in and I'm redirected to this URL...
https://console-openshift-console.apps.mbr.mydomain.net/error?error=invalid_code&error_type=auth
... which in turn redirects to this (old domain)...
https://oauth-openshift.apps.mbr.okd.local/oauth/authorize?client_id=console&redirect_uri=https%3A%2F%2Fconsole-openshift-console.apps.mbr.mydomain.net%2Fauth%2Fcallback&response_type=code&scope=user%3Afull&state=da4a1dd0
CONCLUSION:
Even though we successfully updated the routes as exposed, we started to have problems with the login and the URLs of the Web Console that are not updated to the new domain.
QUESTION:
Does anyone have any idea how we can solve the mentioned problems?
IMPORTANT:
I - We've already tried this procedure Customizing the web console URL , but it doesn't update all routes and does not update URLs in the Web Console and also has the same login issues above;
II - I also tried this procedure Creating a route through an Ingress object , but equally it doesn't seem to me something that will solve the problems pointed out.
Upvotes: 0
Views: 1189
Answers (1)
Reputation: 1863
The documentation is pretty clear: you cannot currently update the domain value of the ingress controller:
The domain value must be unique among all Ingress Controllers and cannot be updated.
You can try to change your clusterConfig and adjust the domain, afterward try to delete and recreate the ingressController. There may be dragons
Upvotes: 0
Related Questions
- Securing path based routing on Openshift
- How to apply IP whitelisting to Openshift routes/services
- Openshift routes vs external load balancer
- how to patch a route with an alternate backend
- How to configure openshift route & router to expose public service
- How can two applications running inside the Openshift send requests to each other?
- openshift 3 REST API authentication
- Openshift 3 communication between deployments
- Wildfly on OpenShift 3 with path-base routing and accessible console
- Openshift V3: Confusion on Services and Routes