Home GitHub

IMPORTANT NOTE: This site is not official Red Hat documentation and is provided for informational purposes only. These guides may be experimental, proof of concept, or early adoption. Officially supported documentation is available at docs.openshift.com and access.redhat.com.

Adding an additional ingress controller to an ARO cluster

Paul Czarkowski, Stuart Kirk

03/30/2022

Prerequisites

Get Started

  1. Create some environment variables

    DOMAIN=custom.azure.mobb.ninja
    EMAIL=example@email.com
    SCRATCH_DIR=/tmp/aro
    
  2. Create a certificate for the ingress controller

    certbot certonly --manual \
      --preferred-challenges=dns \
      --email $EMAIL \
      --server https://acme-v02.api.letsencrypt.org/directory \
      --agree-tos \
      --manual-public-ip-logging-ok \
      -d "*.$DOMAIN" \
      --config-dir "$SCRATCH_DIR/config" \
      --work-dir "$SCRATCH_DIR/work" \
      --logs-dir "$SCRATCH_DIR/logs"
    
  3. Create a secret for the certificate

    oc create secret tls custom-tls \
      -n openshift-ingress \
      --cert=$SCRATCH_DIR/config/live/$DOMAIN/fullchain.pem \
      --key=$SCRATCH_DIR/config/live/$DOMAIN/privkey.pem
    
  4. Create an ingress controller

    cat <<EOF | oc apply -f -
    apiVersion: operator.openshift.io/v1
    kind: IngressController
    metadata:
      name: custom
      namespace: openshift-ingress-operator
    spec:
      domain: $DOMAIN
      nodePlacement:
        nodeSelector:
          matchLabels:
            node-role.kubernetes.io/worker: ""
      routeSelector:
        matchLabels:
          type: custom
      defaultCertificate:
        name: custom-tls
      httpEmptyRequestsPolicy: Respond
      httpErrorCodePages:
        name: ""
      replicas: 3
    EOF
    
  5. Wait a few moments then get the EXTERNAL-IP of the new ingress controller

    oc get -n openshift-ingress svc router-custom
    

    The output should look like:

     NAME            TYPE           CLUSTER-IP     EXTERNAL-IP    PORT(S)                      AGE
     router-custom   LoadBalancer   172.30.90.84   20.120.48.78   80:32160/TCP,443:32511/TCP   49s
    
  6. Create a wildcard DNS record pointing at the EXTERNAL-IP

  7. Test that the Ingress is working

     curl -s https://test.$DOMAIN | head
    
     <html>
       <head>
         <meta name="viewport" content="width=device-width, initial-scale=1">
    
  8. Create a new project to deploy an application to

     oc new-project demo
    
  9. Create a new application

     oc new-app --docker-image=docker.io/openshift/hello-openshift
    
  10. Expose

    cat << EOF | oc apply -f -
    apiVersion: route.openshift.io/v1
    kind: Route
    metadata:
      labels:
        app: hello-openshift
        app.kubernetes.io/component: hello-openshift
        app.kubernetes.io/instance: hello-openshift
        type: custom
      name: hello-openshift-tls
    spec:
      host: hello.$DOMAIN
      port:
        targetPort: 8080-tcp
      tls:
        termination: edge
        insecureEdgeTerminationPolicy: Redirect
      to:
        kind: Service
        name: hello-openshift
    EOF
    
  11. Verify it works

     curl https://hello.custom.azure.mobb.ninja
    
     Hello OpenShift!