1. Documentation
    2. Page history / Open an issue
×

Configuring Transport Layer Security for a custom domain using Red Hat OpenShift Service Mesh

You can create a Transport Layer Security (TLS) key and certificates for a custom domain and subdomain using Red Hat OpenShift Service Mesh.

OpenShift Serverless is compatible only with full implementations of either Red Hat OpenShift Service Mesh 1.x or 2.x. OpenShift Serverless does not support custom usage of some 1.x resources and some 2.x resources in the same deployment. For example, upgrading to 2.x while still using the control plane maistra.io/v1 spec is not supported.

Prerequisites

This example uses the example.com domain. The example certificate for this domain is used as a certificate authority (CA) that signs the subdomain certificate.

To complete and verify this procedure in your deployment, you need either a certificate signed by a widely trusted public CA, or a CA provided by your organization.

Example commands must be adjusted according to your domain, subdomain and CA.

Configuring Transport Layer Security for a custom domain using Red Hat OpenShift Service Mesh 2.x

You can create a Transport Layer Security (TLS) key and certificates for a custom domain and subdomain using Red Hat OpenShift Service Mesh.

Procedure

  1. Create a root certificate and private key to sign the certificates for your services:

    $ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 \
    -subj '/O=Example Inc./CN=example.com' \
    -keyout example.com.key \
    -out example.com.crt

  2. Create a certificate signing request for your domain:

    $ openssl req -out custom.example.com.csr -newkey rsa:2048 -nodes \
    -keyout custom.example.com.key \
    -subj "/CN=custom-ksvc-domain.example.com/O=Example Inc."

  3. Sign the request with your CA:

    $ openssl x509 -req -days 365 -set_serial 0 \
    -CA example.com.crt \
    -CAkey example.com.key \
    -in custom.example.com.csr \
    -out custom.example.com.crt

  4. Check that the certificates appear in your directory:

    $ ls -1
    Example output
    custom.example.com.crt
custom.example.com.csr
custom.example.com.key
example.com.crt
example.com.key

  5. Create a secret:

    $ oc create -n istio-system secret tls custom.example.com \
    --key=custom.example.com.key \
    --cert=custom.example.com.crt

  6. Attach the secret to the Istio ingress gateway by editing the ServiceMeshControlPlane resource.

    1. Edit the ServiceMeshControlPlane resource:

      $ oc edit -n istio-system ServiceMeshControlPlane <control-plane-name>

    2. Check that the following lines exist in the resource, and if they do not, add them:

      spec:
  gateways:
    ingress:
      volumes:
      - volume:
          secret:
            secretName: custom.example.com
        volumeMount:
          name: custom-example-com
          mountPath: /custom.example.com

  7. Update the Istio ingress gateway to use your secret.

    1. Edit the default-gateway resource:

      $ oc edit gateway default-gateway

    2. Check that the following lines exist in the resource, and if they do not, add them:

      - hosts:
  - custom-ksvc-domain.example.com
  port:
    name: https
    number: 443
    protocol: HTTPS
  tls:
    mode: SIMPLE
    privateKey: /custom.example.com/tls.key
    serverCertificate: /custom.example.com/tls.crt

  8. Update the route to use pass-through TLS and 8443 as the spec.port.targetPort.

    1. Edit the route:

      $ oc edit route -n istio-system hello

    2. Add the following configuration to the route:

      spec:
  host: custom-ksvc-domain.example.com
  port:
    targetPort: 8443
  tls:
    insecureEdgeTerminationPolicy: None
    termination: passthrough
  to:
    kind: Service
    name: istio-ingressgateway
    weight: 100
  wildcardPolicy: None
Verification

  • Access your serverless application by a secure connection that is now trusted by the CA:

    $ curl --cacert example.com.crt \
    --header "Host: custom-ksvc-domain.example.com" \
    --resolve "custom-ksvc-domain.example.com:443:<ingress_router_IP>" \
     https://custom-ksvc-domain.example.com:443

    You must substitute your own value for <ingress_router_IP>. Steps for finding this IP or host name value vary depending on your OpenShift Container Platform provider platform.

    Example command to find the ingress IP

    This command is valid for GCP and Azure provider platforms:

    $ oc get svc -n openshift-ingress router-default \
    -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
    Example output
    Hello OpenShift!

Configuring Transport Layer Security for a custom domain using Red Hat OpenShift Service Mesh 1.x

You can create a Transport Layer Security (TLS) key and certificates for a custom domain and subdomain using Red Hat OpenShift Service Mesh.

Procedure

  1. Create a root certificate and private key to sign the certificates for your services:

    $ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 \
    -subj '/O=Example Inc./CN=example.com' \
    -keyout example.com.key \
    -out example.com.crt

  2. Create a certificate signing request for your domain:

    $ openssl req -out custom.example.com.csr -newkey rsa:2048 -nodes \
    -keyout custom.example.com.key \
    -subj "/CN=custom-ksvc-domain.example.com/O=Example Inc."

  3. Sign the request with your CA:

    $ openssl x509 -req -days 365 -set_serial 0 \
    -CA example.com.crt \
    -CAkey example.com.key \
    -in custom.example.com.csr \
    -out custom.example.com.crt

  4. Check that the certificates appear in your directory:

    $ ls -1
    Example output
    custom.example.com.crt
custom.example.com.csr
custom.example.com.key
example.com.crt
example.com.key

  5. Create a secret:

    $ oc create -n istio-system secret tls custom.example.com \
    --key=custom.example.com.key \
    --cert=custom.example.com.crt

  6. Attach the secret to the Istio ingress gateway by editing the ServiceMeshControlPlane resource.

    1. Edit the ServiceMeshControlPlane resource:

      $ oc edit -n istio-system ServiceMeshControlPlane <control_plane_name>

    2. Check that the following lines exist in the resource, and if they do not, add them:

      spec:
  istio:
    gateways:
      istio-ingressgateway:
        secretVolumes:
        - mountPath: /custom.example.com
          name: custom-example-com
          secretName: custom.example.com

  7. Update the Istio ingress gateway to use your secret.

    1. Edit the default-gateway resource:

      $ oc edit gateway default-gateway

    2. Check that the following lines exist in the resource, and if they do not, add them:

      - hosts:
  - custom-ksvc-domain.example.com
  port:
    name: https
    number: 443
    protocol: HTTPS
  tls:
    mode: SIMPLE
    privateKey: /custom.example.com/tls.key
    serverCertificate: /custom.example.com/tls.crt

  8. Update the route to use pass-through TLS and 8443 as the spec.port.targetPort.

    1. Edit the route:

      $ oc edit route -n istio-system hello

    2. Add the following configuration to the route:

      spec:
  host: custom-ksvc-domain.example.com
  port:
    targetPort: 8443
  tls:
    insecureEdgeTerminationPolicy: None
    termination: passthrough
  to:
    kind: Service
    name: istio-ingressgateway
    weight: 100
  wildcardPolicy: None
Verification

  • Access your serverless application by a secure connection that is now trusted by the CA:

    $ curl --cacert example.com.crt \
    --header "Host: custom-ksvc-domain.example.com" \
    --resolve "custom-ksvc-domain.example.com:443:<ingress_router_IP>" \
     https://custom-ksvc-domain.example.com:443

    You must substitute your own value for <ingress_router_IP>. Steps for finding this IP or host name value vary depending on your OpenShift Container Platform provider platform.

    Example command to find the ingress IP

    This command is valid for GCP and Azure provider platforms:

    $ oc get svc -n openshift-ingress router-default \
    -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
    Example output
    Hello OpenShift!