Adding an additional ingress controller to an ARO cluster
This content is authored by Red Hat experts, but has not yet been tested on every supported configuration.
Prerequisites
- an Azure Red Hat OpenShift cluster
- a DNS zone that you can easily modify
Get Started
Create some environment variables
DOMAIN=custom.azure.mobb.ninja EMAIL=example@email.com SCRATCH_DIR=/tmp/aro
CopyCreate a certificate for the ingress controller
certbot certonly --manual \ --preferred-challenges=dns \ --email $EMAIL \ --server https://acme-v02.api.letsencrypt.org/directory \ --agree-tos \ --manual-public-ip-logging-ok \ -d "*.$DOMAIN" \ --config-dir "$SCRATCH_DIR/config" \ --work-dir "$SCRATCH_DIR/work" \ --logs-dir "$SCRATCH_DIR/logs"
CopyCreate a secret for the certificate
oc create secret tls custom-tls \ -n openshift-ingress \ --cert=$SCRATCH_DIR/config/live/$DOMAIN/fullchain.pem \ --key=$SCRATCH_DIR/config/live/$DOMAIN/privkey.pem
CopyCreate an ingress controller
cat <<EOF | oc apply -f - apiVersion: operator.openshift.io/v1 kind: IngressController metadata: name: custom namespace: openshift-ingress-operator spec: domain: $DOMAIN nodePlacement: nodeSelector: matchLabels: node-role.kubernetes.io/worker: "" routeSelector: matchLabels: type: custom defaultCertificate: name: custom-tls httpEmptyRequestsPolicy: Respond httpErrorCodePages: name: "" replicas: 3 EOF
CopyNOTE: By default the ingress controller is created with
external
scope. This means that the corresponding Azure Load Balancer will have a public frontend IP. If you wish to deploy a privately visible ingress controller add the following lines to thespec
:spec: ... endpointPublishingStrategy: loadBalancer: scope: Internal type: LoadBalancerService ...
CopyWait a few moments then get the
EXTERNAL-IP
of the new ingress controlleroc get -n openshift-ingress svc router-custom
CopyIn case of an Externally (publicly) scoped ingress controller the output should look like:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE router-custom LoadBalancer 172.30.90.84 20.120.48.78 80:32160/TCP,443:32511/TCP 49s
CopyIn case of an Internal (private) one:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE router-custom LoadBalancer 172.30.55.36 10.0.2.4 80:30475/TCP,443:30249/TCP 10s
CopyOptionally verify in the Azure portal or using CLI that the Load Balancer Service has gotten the new Frontend IP and two Load Balancing Rules - one for port 80 and another one for port 443. In case of an Internally scoped Ingress Controller the changes are to be observed within the Load Balancer that has the
-internal
suffix.Create a wildcard DNS record pointing at the
EXTERNAL-IP
Test that the Ingress is working
NOTE: For the Internal ingress controller, make sure that the test host has the necessary reachability to the VPC/subnet as well as the DNS resolver. curl -s https://test.$DOMAIN | head
Copy<html> <head> <meta name="viewport" content="width=device-width, initial-scale=1">
CopyCreate a new project to deploy an application to
oc new-project demo
CopyCreate a new application
oc new-app --docker-image=docker.io/openshift/hello-openshift
CopyExpose
cat << EOF | oc apply -f - apiVersion: route.openshift.io/v1 kind: Route metadata: labels: app: hello-openshift app.kubernetes.io/component: hello-openshift app.kubernetes.io/instance: hello-openshift type: custom name: hello-openshift-tls spec: host: hello.$DOMAIN port: targetPort: 8080-tcp tls: termination: edge insecureEdgeTerminationPolicy: Redirect to: kind: Service name: hello-openshift EOF
CopyVerify it works
curl https://hello.custom.azure.mobb.ninja
CopyHello OpenShift!
Copy