$ openssl rsa -in password_protected_tls.key -out tls.key
The following sections describe how to create re-encrypt and edge routes with custom certificates.
If you create routes in Microsoft Azure through public endpoints, the resource names are subject to restriction. You cannot create resources that use certain terms. For a list of terms that Azure restricts, see Resolve reserved resource name errors in the Azure documentation. |
You can configure a secure route using reencrypt TLS termination with a custom
certificate by using the oc create route
command.
You must have a certificate/key pair in PEM-encoded files, where the certificate is valid for the route host.
You may have a separate CA certificate in a PEM-encoded file that completes the certificate chain.
You must have a separate destination CA certificate in a PEM-encoded file.
You must have a Service resource that you want to expose.
Password protected key files are not supported. To remove a passphrase from a key file, use the following command:
|
This procedure creates a route resource with a custom certificate and
reencrypt TLS termination. The following assumes that the certificate/key pair
are in the tls.crt
and tls.key
files in the current working directory. You
must also specify a destination CA certificate to enable the Ingress Controller
to trust the service’s certificate. You may also specify a CA certificate if
needed to complete the certificate chain. Substitute the actual path names for
tls.crt
, tls.key
, cacert.crt
, and (optionally) ca.crt
. Substitute the
name of the Service
resource that you want to expose for frontend
.
Substitute the appropriate host name for www.example.com
.
Create a secure route resource using reencrypt TLS termination and a custom certificate:
$ oc create route reencrypt --service=frontend --cert=tls.crt --key=tls.key --dest-ca-cert=destca.crt --ca-cert=ca.crt --hostname=www.example.com
If you examine the resulting route resource, it should look similar to the following:
apiVersion: v1
kind: route
metadata:
name: frontend
spec:
host: www.example.com
to:
kind: Service
name: frontend
tls:
termination: reencrypt
key: |-
-----BEGIN PRIVATE KEY-----
[...]
-----END PRIVATE KEY-----
certificate: |-
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
caCertificate: |-
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
destinationCACertificate: |-
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
See oc create route reencrypt --help
for more options.
You can configure a secure route using edge TLS termination with a custom
certificate by using the oc create route
command. With an edge route, the
Ingress Controller terminates TLS encryption before forwarding traffic to the
destination Pod. The route specifies the TLS certificate and key that the
Ingress Controller uses for the route.
You must have a certificate/key pair in PEM-encoded files, where the certificate is valid for the route host.
You may have a separate CA certificate in a PEM-encoded file that completes the certificate chain.
You must have a Service resource that you want to expose.
Password protected key files are not supported. To remove a passphrase from a key file, use the following command:
|
This procedure creates a route resource with a custom certificate and edge TLS
termination. The following assumes that the certificate/key pair are in the
tls.crt
and tls.key
files in the current working directory. You may also
specify a CA certificate if needed to complete the certificate chain.
Substitute the actual path names for tls.crt
, tls.key
, and (optionally)
ca.crt
. Substitute the name of the Service resource that you want to expose
for frontend
. Substitute the appropriate host name for www.example.com
.
Create a secure route resource using edge TLS termination and a custom certificate.
$ oc create route edge --service=frontend --cert=tls.crt --key=tls.key --ca-cert=ca.crt --hostname=www.example.com
If you examine the resulting route resource, it should look similar to the following:
apiVersion: v1
kind: route
metadata:
name: frontend
spec:
host: www.example.com
to:
kind: Service
name: frontend
tls:
termination: edge
key: |-
-----BEGIN PRIVATE KEY-----
[...]
-----END PRIVATE KEY-----
certificate: |-
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
caCertificate: |-
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
See oc create route edge --help
for more options.