HTTPS Routes on OpenShift
This guide is on how to create HTTPS routes for OpenShift with certificates from Let's Encrypt.
Prerequisites
Your app should be running in Pods on OpenShift, and you should have a Service created for the port(s) you want to expose.
The Easy Way
Creating a Route directly is the easiest way to create a public HTTPS URL for your app.
It'll look something like https://cube-hosting-of-medical-image-analysis-platform-dcb83b.apps.shift.nerc.mghpcc.org
({name}-{namespace}.apps.shift.nerc.mghpcc.org).
Go to the OpenShift console, select your project, and create a route with the options:
- Name
- Hostname: leave blank
- Service
- Target Port
- Secure Route: yes
- TLS termination: Edge
- Insecure traffic: Redirect
- Certificate: leave blank
- Private key: leave blank
Using a Custom Domain
To use a custom domain with HTTPS, you need to create an Ingress with annotations for cert-manager.
Background
HTTPS provides data-in-motion encryption for web apps. To enable HTTPS, you need to generate TLS certificates and have them signed by a trusted certificate authority (CA). Let's Encrypt is a free CA which supports automatic certificate issuing (ACME).
Prerequisites
Your app should be running in Pods on OpenShift, and you should have a Service created for the port(s) you want to expose.
The NERC OpenShift cluster has cert-manager operator installed
and available to users. For other clusters, ask your admin to install cert-manager.
0. Create an Issuer (Once per namespace)
Skip this step for the project hosting-of-medical-image-analysis-platform-dcb83b,
it was already created.
Create an Issuer.
oc apply -f https://github.com/FNNDSC/NERC/raw/master/https/issuer.yml
1. Create the Ingress (Once per port)
Use this file as a starter template: https://github.com/FNNDSC/NERC/blob/master/https/app-chrisproject-org.yml
You need to change:
metadata.namespec.tls.hostsspec.rules[0].hostspec.rules[0].http.paths[*].backend.service