Overview

An OpenShift Online route exposes a service at a host name, like www.example.com, so that external clients can reach it by name.

DNS resolution for a host name is handled separately from routing; your administrator may have configured a cloud domain that will always correctly resolve to the OpenShift Online router, or if using an unrelated host name you may need to modify its DNS records independently to resolve to the router.

Creating Routes

You can create unsecured and secured routes routes using the web console or the CLI.

Using the web console, you can navigate to the Browse → Routes page, then click Create Route to define and create a route in your project:

Creating a Route Using the Web Console
Figure 1. Creating a Route Using the Web Console

Using the CLI, create an unsecured route. For OpenShift Online Starter, follow this example:

$ oc expose svc/frontend

For OpenShift Online Pro, follow this example, with --hostname being optional:

$ oc expose svc/frontend --hostname=www.example.com

The new route inherits the name from the service unless you specify one using the --name option.

YAML Definition of the Unsecured Route Created Above
apiVersion: v1
kind: Route
metadata:
  name: frontend
spec:
  to:
    kind: Service
    name: frontend

Unsecured routes are the default configuration, and are therefore the simplest to set up. However, secured routes offer security for connections to remain private. To create a secured HTTPS route encrypted with the default certificate for OpenShift Online 3 you can use the create route command.

TLS is the replacement of SSL for HTTPS and other encrypted protocols.

For OpenShift Online Starter:

$ oc create route edge --service=frontend
YAML Definition of the Secured Route Created Above
apiVersion: v1
kind: Route
metadata:
  name: frontend
spec:
  to:
    kind: Service
    name: frontend
  tls:
    termination: edge

For OpenShift Online Pro, you can use your own certificate and key files from a CA. However, you can still omit the certificate and key files if you want to use the default certificate. With OpenShift Online Starter, you cannot specify a certificate and key.

For OpenShift Online Pro:

$ oc create route edge --service=frontend \
    --cert=example.crt \
    --key=example.key \
    --ca-cert=ca.crt \
    --hostname=www.example.com
YAML Definition of the Secured Route Created Above
apiVersion: v1
kind: Route
metadata:
  name: frontend
spec:
  host: www.example.com
  to:
    kind: Service
    name: frontend
  tls:
    termination: edge
    key: |-
      -----BEGIN PRIVATE KEY-----
      [...]
      -----END PRIVATE KEY-----
    certificate: |-
      -----BEGIN CERTIFICATE-----
      [...]
      -----END CERTIFICATE-----
    caCertificate: |-
      -----BEGIN CERTIFICATE-----
      [...]
      -----END CERTIFICATE-----

Currently, password protected key files are not supported. To remove a passphrase from a keyfile, you can run:

# openssl rsa -in <passwordProtectedKey.key> -out <new.key>

Further information on all types of TLS termination as well as path-based routing are available in the Architecture section.

Restrictions

Routes are restricted in OpenShift Online Starter, but are not restricted in OpenShift Online Pro. Custom route hosts are permitted in OpenShift Online Pro. If using OpenShift Online Starter, the following host template is enforced on all user routes:

<route-name>-<namespace>.<external-address>

For example:

<route-name>-<namespace>.1d35.starter-us-east-1.openshiftapps.com

To determine the external address, run:

$ oc get route/<route-name>

Custom certificates are permitted in OpenShift Online Pro. In OpenShift Online Starter, only unencrypted routes, edge routes using the default certificate, and passthrough routes work. Edge routes with custom certificates and re-encrypt routes (which necessarily have custom certificates) do not work in OpenShift Online Starter.

These restrictions are enforced in the router. Inspecting the route in the console or using oc get routes displays the host and certificates specified by the user. The status of the route indicates if the route is restricted. However, custom hosts are not respected in OpenShift Online Starter, and routes with custom certificates do not work. In OpenShift Online Pro, a default host is provided if the user does not specify a custom host.

Once your custom route is created in in OpenShift Online Pro, you must update your DNS provider by creating a canonical name (CNAME) record. Your CNAME record should point your custom domain to the OpenShift Online router as the alias. The OpenShift Online router’s domain is different for every cluster.

CNAME records cannot be set for a naked domain (example.com). A subdomain must be specified (www.example.com).