You can create a Transport Layer Security (TLS) key and certificates for a custom domain and subdomain using Red Hat OpenShift Service Mesh.

OpenShift Serverless is compatible only with full implementations of either Red Hat OpenShift Service Mesh 1.x or 2.x. OpenShift Serverless does not support custom usage of some 1.x resources and some 2.x resources in the same deployment. For example, upgrading to 2.x while still using the control plane maistra.io/v1 spec is not supported.

Prerequisites

This example uses the example.com domain. The example certificate for this domain is used as a certificate authority (CA) that signs the subdomain certificate.

To complete and verify this procedure in your deployment, you need either a certificate signed by a widely trusted public CA, or a CA provided by your organization.

Example commands must be adjusted according to your domain, subdomain and CA.

Configuring Transport Layer Security for a custom domain using Red Hat OpenShift Service Mesh 2.x

You can create a Transport Layer Security (TLS) key and certificates for a custom domain and subdomain using Red Hat OpenShift Service Mesh.

Procedure
  1. Create a root certificate and private key to sign the certificates for your services:

    $ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 \
        -subj '/O=Example Inc./CN=example.com' \
        -keyout example.com.key \
        -out example.com.crt
  2. Create a certificate signing request for your domain:

    $ openssl req -out custom.example.com.csr -newkey rsa:2048 -nodes \
        -keyout custom.example.com.key \
        -subj "/CN=custom-ksvc-domain.example.com/O=Example Inc."
  3. Sign the request with your CA:

    $ openssl x509 -req -days 365 -set_serial 0 \
        -CA example.com.crt \
        -CAkey example.com.key \
        -in custom.example.com.csr \
        -out custom.example.com.crt
  4. Check that the certificates appear in your directory:

    $ ls -1
    Example output
    custom.example.com.crt
    custom.example.com.csr
    custom.example.com.key
    example.com.crt
    example.com.key
  5. Create a secret:

    $ oc create -n istio-system secret tls custom.example.com \
        --key=custom.example.com.key \
        --cert=custom.example.com.crt
  6. Attach the secret to the Istio ingress gateway by editing the ServiceMeshControlPlane resource.

    1. Edit the ServiceMeshControlPlane resource:

      $ oc edit -n istio-system ServiceMeshControlPlane <control-plane-name>
    2. Check that the following lines exist in the resource, and if they do not, add them:

      spec:
        gateways:
          ingress:
            volumes:
            - volume:
                secret:
                  secretName: custom.example.com
              volumeMount:
                name: custom-example-com
                mountPath: /custom.example.com
  7. Update the Istio ingress gateway to use your secret.

    1. Edit the default-gateway resource:

      $ oc edit gateway default-gateway
    2. Check that the following lines exist in the resource, and if they do not, add them:

      - hosts:
        - custom-ksvc-domain.example.com
        port:
          name: https
          number: 443
          protocol: HTTPS
        tls:
          mode: SIMPLE
          privateKey: /custom.example.com/tls.key
          serverCertificate: /custom.example.com/tls.crt
  8. Update the route to use pass-through TLS and 8443 as the spec.port.targetPort.

    1. Edit the route:

      $ oc edit route -n istio-system hello
    2. Add the following configuration to the route:

      spec:
        host: custom-ksvc-domain.example.com
        port:
          targetPort: 8443
        tls:
          insecureEdgeTerminationPolicy: None
          termination: passthrough
        to:
          kind: Service
          name: istio-ingressgateway
          weight: 100
        wildcardPolicy: None
Verification
  • Access your serverless application by a secure connection that is now trusted by the CA:

    $ curl --cacert example.com.crt \
        --header "Host: custom-ksvc-domain.example.com" \
        --resolve "custom-ksvc-domain.example.com:443:<ingress_router_IP>" \
         https://custom-ksvc-domain.example.com:443

    You must substitute your own value for <ingress_router_IP>. Steps for finding this IP or host name value vary depending on your OpenShift Container Platform provider platform.

    Example command to find the ingress IP

    This command is valid for GCP and Azure provider platforms:

    $ oc get svc -n openshift-ingress router-default \
        -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
    Example output
    Hello OpenShift!

Configuring Transport Layer Security for a custom domain using Red Hat OpenShift Service Mesh 1.x

You can create a Transport Layer Security (TLS) key and certificates for a custom domain and subdomain using Red Hat OpenShift Service Mesh.

Procedure
  1. Create a root certificate and private key to sign the certificates for your services:

    $ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 \
        -subj '/O=Example Inc./CN=example.com' \
        -keyout example.com.key \
        -out example.com.crt
  2. Create a certificate signing request for your domain:

    $ openssl req -out custom.example.com.csr -newkey rsa:2048 -nodes \
        -keyout custom.example.com.key \
        -subj "/CN=custom-ksvc-domain.example.com/O=Example Inc."
  3. Sign the request with your CA:

    $ openssl x509 -req -days 365 -set_serial 0 \
        -CA example.com.crt \
        -CAkey example.com.key \
        -in custom.example.com.csr \
        -out custom.example.com.crt
  4. Check that the certificates appear in your directory:

    $ ls -1
    Example output
    custom.example.com.crt
    custom.example.com.csr
    custom.example.com.key
    example.com.crt
    example.com.key
  5. Create a secret:

    $ oc create -n istio-system secret tls custom.example.com \
        --key=custom.example.com.key \
        --cert=custom.example.com.crt
  6. Attach the secret to the Istio ingress gateway by editing the ServiceMeshControlPlane resource.

    1. Edit the ServiceMeshControlPlane resource:

      $ oc edit -n istio-system ServiceMeshControlPlane <control_plane_name>
    2. Check that the following lines exist in the resource, and if they do not, add them:

      spec:
        istio:
          gateways:
            istio-ingressgateway:
              secretVolumes:
              - mountPath: /custom.example.com
                name: custom-example-com
                secretName: custom.example.com
  7. Update the Istio ingress gateway to use your secret.

    1. Edit the default-gateway resource:

      $ oc edit gateway default-gateway
    2. Check that the following lines exist in the resource, and if they do not, add them:

      - hosts:
        - custom-ksvc-domain.example.com
        port:
          name: https
          number: 443
          protocol: HTTPS
        tls:
          mode: SIMPLE
          privateKey: /custom.example.com/tls.key
          serverCertificate: /custom.example.com/tls.crt
  8. Update the route to use pass-through TLS and 8443 as the spec.port.targetPort.

    1. Edit the route:

      $ oc edit route -n istio-system hello
    2. Add the following configuration to the route:

      spec:
        host: custom-ksvc-domain.example.com
        port:
          targetPort: 8443
        tls:
          insecureEdgeTerminationPolicy: None
          termination: passthrough
        to:
          kind: Service
          name: istio-ingressgateway
          weight: 100
        wildcardPolicy: None
Verification
  • Access your serverless application by a secure connection that is now trusted by the CA:

    $ curl --cacert example.com.crt \
        --header "Host: custom-ksvc-domain.example.com" \
        --resolve "custom-ksvc-domain.example.com:443:<ingress_router_IP>" \
         https://custom-ksvc-domain.example.com:443

    You must substitute your own value for <ingress_router_IP>. Steps for finding this IP or host name value vary depending on your OpenShift Container Platform provider platform.

    Example command to find the ingress IP

    This command is valid for GCP and Azure provider platforms:

    $ oc get svc -n openshift-ingress router-default \
        -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
    Example output
    Hello OpenShift!