openshift route types Setup and Configuration

Author

Reads 283

A Person Handing over a Mortgage Application Form
Credit: pexels.com, A Person Handing over a Mortgage Application Form

Let's dive into the world of OpenShift route types. There are three main types of routes in OpenShift: NodePort, LoadBalancer, and Ingress.

Each route type serves a specific purpose and is used in different scenarios. We'll explore the setup and configuration for each type.

To create a NodePort route, you need to specify the targetPort and nodePort in the route configuration. This allows external traffic to access your application by routing through a specific port on a node.

A LoadBalancer route, on the other hand, is created automatically by OpenShift when you expose a service with a load balancer type. This route type is ideal for cloud providers that support load balancers.

Ingress routes are the most flexible and powerful route type in OpenShift. They allow you to define a single entry point for your application and can be configured to route traffic to multiple services.

Worth a look: Openshift Ingress

Route Types

There are two main types of routes in OpenShift: secured and unsecured. Unsecured routes are the simplest to configure, requiring no key or certificates.

Secured routes, on the other hand, provide security for connections to remain private, and can use several types of TLS termination to serve certificates to the client.

The available types of TLS termination for secured routes are edge, passthrough, and re-encryption termination.

For another approach, see: Golang Routers

Path Based

Credit: youtube.com, 54 Pure Webserver 4 - Path based routing

Path Based routes are a type of route that specify a path component that can be compared against a URL. This allows multiple routes to be served using the same hostname, each with a different path.

The path is the only added attribute for a path-based route, making them relatively simple to implement. The router should match routes based on the most specific path to the least, but this depends on the router implementation.

For example, if you have a route www.example.com/test and a request is made to www.example.com/test, the route will be accessible. However, if the request is made to www.example.com without the path, the route will not be accessible.

Here's a table showing example routes and their accessibility:

It's worth noting that path-based routing is not available when using passthrough TLS, as the router does not terminate TLS in that case and cannot read the contents of the request.

Sharding

Sharding allows you to distribute routes across multiple routers, improving scalability and flexibility.

Credit: youtube.com, 3 Techniques for Database Sharding Explained | The Ultimate Guide to Scaling Databases

A router uses selectors to select a subset of routes from the entire pool of routes to serve. These selectors can involve labels on the route's namespace.

Sharding can be done by the administrator at a cluster level and by the user at a project/namespace level.

In traditional sharding, a route belongs to exactly one shard, but in overlapped sharding, a route can belong to many different shards.

Here's a table comparing traditional and overlapped sharding:

In the case of overlapped sharding, if an older route claiming an existing host name is "re-labelled" to match the router's selection criteria, it will replace the existing route based on the resolution order (oldest route wins).

Sharding can also be used to balance incoming traffic load among a set of Ingress Controllers.

Exercise: a

You can create a Route from the OpenShift Console or using the oc CLI. The suggested method is to define a cloud domain with a wildcard DNS entry pointing to one or more virtual IP (VIP) addresses backed by multiple router instances.

Black and white image of a delivery driver inside a cargo van, showcasing service and transportation.
Credit: pexels.com, Black and white image of a delivery driver inside a cargo van, showcasing service and transportation.

To create a Route, you'll need to insert the service name in the Name field, select the service from the Service field, and choose the target port. In the Security section, you can check Secure route and select Edge from TLS Termination list.

When creating a Route, you can also provide options like the hostname and path for the Route or other TLS configurations. However, the TLS certificate for cluster Apps domains is used by default, so you don't need to add any certificate.

Here are the steps to create a Route from the OpenShift Console:

1. Navigate to the Routes page under the Applications section of the navigation.

2. Click Create Route to define and create a route in your project.

3. Insert the service name in the Name field.

4. Select the service from the Service field and choose the target port.

5. In the Security section, check Secure route and select Edge from TLS Termination list.

6. Leave all other fields blank and click Create.

Alternatively, you can use the oc CLI to create a Route using the create route command.

Discover more: Openshift Security

Security

Credit: youtube.com, Next Generation OpenShift Routes

Security is a top priority when it comes to OpenShift routes. Secured routes specify the TLS termination of the route and can use any of three types of secure TLS termination: Edge Termination, Passthrough Termination, and Re-encryption Termination.

Edge Termination is the most common type, where TLS termination occurs at the router, prior to proxying traffic to its destination. This means that connections from the router to the endpoints over the internal network are not encrypted. However, this can be mitigated by using an insecureEdgeTerminationPolicy to disable, allow, or redirect traffic on insecure schemes.

To secure Edge Termination, you'll need to configure TLS certificates into the route, which must be in PEM format. This includes the key and certificate fields, as well as an optional CA certificate to establish a certificate chain for validation.

Re-encryption Termination is a variation of Edge Termination where the router terminates TLS with a certificate, then re-encrypts its connection to the endpoint. This ensures that the full path of the connection is encrypted, even over the internal network. The router uses health checks to determine the authenticity of the host, and requires a destinationCACertificate to validate the endpoint certificate.

Secured

Low angle of focused multiethnic male tourists exploring nature and checking route on mobile phone
Credit: pexels.com, Low angle of focused multiethnic male tourists exploring nature and checking route on mobile phone

Secured routes in OpenShift Origin rely on SNI for serving custom certificates. Any non-SNI traffic received on port 443 is handled with TLS termination and a default certificate.

You can use one of three types of secure TLS termination: edge termination, passthrough termination, or re-encryption termination.

Edge termination occurs at the router, prior to proxying traffic to its destination. TLS certificates are served by the front end of the router, so they must be configured into the route.

Here are the key fields for edge termination:

  • 1. The name of the object, which is limited to 63 characters.
  • 2. The termination field is edge for edge termination.
  • 3. The key field is the contents of the PEM format key file.
  • 4. The certificate field is the contents of the PEM format certificate file.
  • 5. An optional CA certificate may be required to establish a certificate chain for validation.

With edge termination, connections from the router to the endpoints over the internal network are not encrypted. However, you can specify an insecureEdgeTerminationPolicy that enables traffic on insecure schemes (HTTP) to be disabled, allowed or redirected.

Aerial view of complex highway intersections in Los Angeles showcasing city infrastructure and urban landscape.
Credit: pexels.com, Aerial view of complex highway intersections in Los Angeles showcasing city infrastructure and urban landscape.

The allowed values for insecureEdgeTerminationPolicy are: None or empty (for disabled), Allow or Redirect. The default is to disable traffic on the insecure scheme.

Passthrough termination sends encrypted traffic straight to the destination without the router providing TLS termination. No key or certificate is required.

Re-encryption termination is a variation on edge termination where the router terminates TLS with a certificate, then re-encrypts its connection to the endpoint. The full path of the connection is encrypted, even over the internal network.

Enabling HSTS

Enabling HSTS is a crucial step in securing your online presence. To do this, you need to be logged in to the cluster with a user having administrator privileges for the project, and you need to have the oc CLI installed.

You can enable HSTS on a route by adding the haproxy.router.openshift.io/hsts_header value to the edge-terminated or re-encrypt route. This can be done using the oc annotate tool.

The haproxy.router.openshift.io/hsts_header value should be set to "max-age=31536000; includeSubDomains; preload". This sets the maximum age to 31536000 ms, which is approximately eight and a half hours.

Admission Policy Setup

Credit: youtube.com, Practical Challenges with Pod Security Admission - V Körbes & Christian Schlotter, VMware

To ensure the security of your cluster, it's essential to configure the route admission policy correctly. You should only enable allowing claims across namespaces for clusters with trust between namespaces, as a malicious user could take over a hostname otherwise.

The default admission policy disallows hostname claims across namespaces, so you need to make a change to allow this. You can do this by editing the .spec.routeAdmission field of the ingresscontroller resource variable using the following command: $oc -n openshift-ingress-operator patch ingresscontroller/default --patch '{"spec":{"routeAdmission":{"namespaceOwnership":"InterNamespaceAllowed"}}}' --type=merge

Alternatively, you can apply the following YAML to configure the route admission policy: apiVersion: operator.openshift.io/v1 kind: IngressController metadata: name: default namespace: openshift-ingress-operator spec: routeAdmission: namespaceOwnership: InterNamespaceAllowed

Routers and Plug-ins

An OpenShift Origin administrator can deploy routers to nodes in an OpenShift Origin cluster, which enable routes created by developers to be used by external clients.

Routers are pluggable, and two available router plug-ins are provided and supported by default. These plug-ins assume they can bind to host ports 80 (HTTP) and 443 (HTTPS), by default.

Here's an interesting read: Microphone Plug Types

Credit: youtube.com, OpenShift Routes vs Custom Resource Definitions

The routing layer in OpenShift Origin is pluggable, and administrators can choose from multiple router plug-ins. Each router plug-in has its own configuration options and features.

OpenShift Origin routers use the service selector to find the service and the endpoints backing the service. This allows routers to automatically detect relevant changes in the IP addresses of its services and adapt its configuration accordingly.

A router's configuration can be customized to listen on other ports by setting the ROUTER_SERVICE_HTTP_PORT and ROUTER_SERVICE_HTTPS_PORT environment variables. This is useful for custom routers to communicate modifications of API objects to an external routing solution.

Routers support the following protocols: HTTP, HTTPS (with SNI), WebSockets, and TLS with SNI. WebSocket traffic uses the same route conventions and supports the same TLS termination types as other traffic.

Here are the supported protocols by OpenShift Origin routers:

  • HTTP
  • HTTPS (with SNI)
  • WebSockets
  • TLS with SNI

Configuring Routes

You can configure the default timeouts for an existing route when you need a low timeout for Service Level Availability (SLA) purposes or a high timeout for cases with a slow back end.

Credit: youtube.com, Openshift Routes | Openshift Tutorial | Insecure Route | Edge Route | Passthrough Route

To configure route timeouts, you need a deployed Ingress Controller on a running cluster.

You can add the timeout to the route using the oc annotate command, which allows you to set a timeout of two seconds on a route named myroute with the command: $oc annotate route myroute --overwrite haproxy.router.openshift.io/timeout=2s.

Supported time units for the timeout are microseconds (us), milliseconds (ms), seconds (s), minutes (m), hours (h), or days (d).

Curious to learn more? Check out: Openshift Command Line

Ingress and Annotations

You can use annotations in an Ingress object to configure the termination field of the Route. The accepted values are edge, passthrough, and reencrypt.

The route.openshift.io/termination annotation can be used to configure the spec.tls.termination field of the Route as Ingress has no field for this. The annotation value can be set to one of the accepted values.

Here are the accepted values for the route.openshift.io/termination annotation:

  • edge
  • passthrough
  • reencrypt

These values can be used to customize the termination behavior of the Route.

Cookies for Statefulness

Credit: youtube.com, Cookies for Stateful Sessions

Cookies can be used to configure session persistence in OpenShift Container Platform. They're created by the Ingress controller, which selects an endpoint to handle user requests and passes the cookie back in the response.

The cookie is then sent back with the next request in the session, telling the Ingress Controller which endpoint is handling the session. This ensures client requests are routed to the same pod.

Cookies cannot be set on passthrough routes because the HTTP traffic cannot be seen. Instead, a number is calculated based on the source IP address, which determines the backend.

If backends change, the traffic can be directed to the wrong server, making it less sticky. If you're using a load balancer, which hides source IP, the same number is set for all connections and traffic is sent to the same pod.

This means that setting a server-side timeout value for passthrough routes too low can cause WebSocket connections to timeout frequently on that route. It's essential to find a balance to ensure seamless communication.

You might like: Node Ip Openshift

Sharding for Ingress Controller

Credit: youtube.com, Kubernetes NGINX Ingress : 5 Useful Configuration Options

Sharding is a technique used to balance incoming traffic load among a set of Ingress Controllers, and isolate traffic to a specific Ingress Controller. This is useful for companies like A and B, where company A goes to one Ingress Controller and company B to another.

In OpenShift Origin, each route can have any number of labels in its metadata field, which a router uses to select a subset of routes to serve. This selection is also known as a selection expression, and it can involve labels on the route's namespace.

A router shard is formed by the selected routes, and this design supports both traditional sharding and overlapped sharding. Traditional sharding results in no overlapping sets, while overlapped sharding results in overlapping sets.

For example, a single route may belong to a SLA=high shard, but not SLA=medium or SLA=low shards, as well as a geo=west shard, but not a geo=east shard.

Credit: youtube.com, Kubernetes Ingress | Ingress controller | Ingress resource

To change overlapped sharding to traditional sharding, the selection of a router can be modified to eliminate the overlap. For instance, changing the selection of router-2 from K* — T* to K* — P* would eliminate the overlap.

A given route is bound to zero or more routers in the group, and the route binding ensures uniqueness of the route across the shard. This allows secure and non-secure versions of the same route to exist within a single shard.

The resolution order for two or more routes that claim the same host name is based on the age of the route, with the oldest route winning the claim to that host. In the case of sharded routers, routes are selected based on their labels matching the router's selection criteria.

Here's an example of how sharded routers select routes based on namespace labels:

Note that router-2 and router-3 serve routes that are in the namespaces Q*, R*, S*, T*.

Frequently Asked Questions

What is the difference between passthrough and edge router?

Passthrough Termination and Edge Termination differ in how they handle encryption, with Passthrough passing it directly to the pod and Edge Termination terminating it at the router.

What is the edge route in OpenShift?

In OpenShift, an edge route is a configuration that allows the Ingress Controller to terminate TLS encryption before forwarding traffic to a destination pod. This involves specifying a TLS certificate and key for the route.

Jeannie Larson

Senior Assigning Editor

Jeannie Larson is a seasoned Assigning Editor with a keen eye for compelling content. With a passion for storytelling, she has curated articles on a wide range of topics, from technology to lifestyle. Jeannie's expertise lies in assigning and editing articles that resonate with diverse audiences.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.