DNS resolution for a host name is handled separately from routing; your administrator may have configured a cloud domain that will always correctly resolve to the OpenShift Online router, or if using an unrelated host name you may need to modify its DNS records independently to resolve to the router.
You can create unsecured and secured routes routes using the web console or the CLI.
Using the web console, you can navigate to the Browse → Routes page, then click Create Route to define and create a route in your project:
Using the CLI, create an unsecured route. For OpenShift Online Starter, follow this example:
$ oc expose svc/frontend
For OpenShift Online Pro, follow this example, with
--hostname being optional:
$ oc expose svc/frontend --hostname=www.example.com
The new route inherits the name from the service unless you specify one
apiVersion: v1 kind: Route metadata: name: frontend spec: to: kind: Service name: frontend
Unsecured routes are the default configuration, and are therefore the simplest
to set up.
offer security for connections to remain private. To create a secured HTTPS route
encrypted with the default certificate for OpenShift Online 3
you can use the
create route command.
TLS is the replacement of SSL for HTTPS and other encrypted protocols.
For OpenShift Online Starter:
$ oc create route edge --service=frontend
apiVersion: v1 kind: Route metadata: name: frontend spec: to: kind: Service name: frontend tls: termination: edge
For OpenShift Online Pro, you can use your own certificate and key files from a CA. However, you can still omit the certificate and key files if you want to use the default certificate. With OpenShift Online Starter, you cannot specify a certificate and key.
For OpenShift Online Pro:
$ oc create route edge --service=frontend \ --cert=example.crt \ --key=example.key \ --ca-cert=ca.crt \ --hostname=www.example.com
apiVersion: v1 kind: Route metadata: name: frontend spec: host: www.example.com to: kind: Service name: frontend tls: termination: edge key: |- -----BEGIN PRIVATE KEY----- [...] -----END PRIVATE KEY----- certificate: |- -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- caCertificate: |- -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE-----
Currently, password protected key files are not supported. To remove a passphrase from a keyfile, you can run:
# openssl rsa -in <passwordProtectedKey.key> -out <new.key>
Routes are restricted in OpenShift Online Starter, but are not restricted in OpenShift Online Pro. Custom route hosts are permitted in OpenShift Online Pro. If using OpenShift Online Starter, the following host template is enforced on all user routes:
To determine the external address, run:
$ oc get route/<route-name>
Custom certificates are permitted in OpenShift Online Pro. In OpenShift Online Starter, only unencrypted routes, edge routes using the default certificate, and passthrough routes work. Edge routes with custom certificates and re-encrypt routes (which necessarily have custom certificates) do not work in OpenShift Online Starter.
These restrictions are enforced in the router. Inspecting the route in the
console or using
oc get routes displays the host and certificates specified by
the user. The status of the route indicates if the route is restricted. However,
custom hosts are not respected in OpenShift Online Starter, and routes with
custom certificates do not work. In OpenShift Online Pro, a default host is
provided if the user does not specify a custom host.
Once your custom route is created in in OpenShift Online Pro, you must update your DNS provider by creating a canonical name (CNAME) record. Your CNAME record should point your custom domain to the OpenShift Online router as the alias. The OpenShift Online router’s domain is different for every cluster.
CNAME records cannot be set for a naked domain (