Uploaded image for project: 'OpenShift Authentication'
  1. OpenShift Authentication
  2. AUTH-13

API for Custom Route Name and Certificates for all OCP Cluster Components - oauth implementation

XMLWordPrintable

    • Custom Route Name and Certificates for all OCP Cluster Components
    • False
    • False
    • Done
    • 0% To Do, 0% In Progress, 100% Done
    • Undefined

      https://docs.google.com/document/d/1TP2Av7zHXz4_fmeX4q9HB0m9cqSZ4F6Jd4AiVoaF_2s/edit#heading=h.gaa58bzbvwde

      Goal: Implement API for Custom Route Name and Certificates for all OCP Cluster Components.

      Problem:
      The default route name for OpenShift Cluster Components does not allow for any level of flexibility in customers environments. The current <name>.apps.<cluster>.<domain> is not user friendly and potentially difficult to remember.

      NAMESPACE                  NAME                HOST/PORT                                                                       PATH   SERVICES            PORT    TERMINATION            WILDCARD
openshift-authentication   oauth-openshift     oauth-openshift.apps.ocp42shared.tamlab.brq.redhat.com                                 oauth-openshift     6443    passthrough/Redirect   None
openshift-console          console             console-openshift-console.apps.ocp42shared.tamlab.brq.redhat.com                       console             https   reencrypt/Redirect     None
openshift-console          downloads           downloads-openshift-console.apps.ocp42shared.tamlab.brq.redhat.com                     downloads           http    edge/Redirect          None
openshift-monitoring       alertmanager-main   alertmanager-main-openshift-monitoring.apps.ocp42shared.tamlab.brq.redhat.com          alertmanager-main   web     reencrypt/Redirect     None
openshift-monitoring       grafana             grafana-openshift-monitoring.apps.ocp42shared.tamlab.brq.redhat.com                    grafana             https   reencrypt/Redirect     None
openshift-monitoring       prometheus-k8s      prometheus-k8s-openshift-monitoring.apps.ocp42shared.tamlab.brq.redhat.com             prometheus-k8s      web     reencrypt/Redirect     None
openshift-image-registry   default-route       default-route-openshift-image-registry.apps.ocp42shared.tamlab.brq.redhat.com          image-registry      <all>   reencrypt              None

      Work is in progress to do this for the OCP console, but does not account for any of the other components. As suggested in https://issues.redhat.com/browse/CONSOLE-2036, I am opening a new RFE to allow for all OCP components to configure a customer route URL and certificates.

      Why is this important?
      If a customer wanted to maintain a single ingress domain and change the default Ingress domain to support a corporate standard ex: ocp1.thehartford.com, they will run into route conflict issues for the OCP services in their live HA and standby DR clusters.

      Application traffic is load balanced across all clusters - example: payments.ocp1.thehartford.com exists in all clusters and would be balanced accordingly.

      On the other hand, for OCP services, you would end up with every cluster having the same set of routes without the ability to change the name. This would make it impossible to route to cluster specific components for each individual cluster.

      • oauth-openshift.ocp1.customer-name.com
      • console-openshift-console.ocp1.customer-name.com
      • downloads-openshift-console.ocp1.customer-name.com
      • alertmanager-main-openshift-monitoring.ocp1.customer-name.com
      • grafana-openshift-monitoring.ocp1.customer-name.com
      • prometheus-k8s-openshift-monitoring.ocp1.customer-name.com
      • thanos-querier-openshift-monitoring.ocp1.customer-name.com

      Deliverables:

      • A functioning API with:
        • Ability to set a unique name with default ingress, a fully custom url and optional certificates.
        • If no certificates are presented, it should use default certs from the ingress controller.

      Acceptance criteria:

      • QE: For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
      • After OpenShift Container Platform 4.x installation, it should be possible to modify/customize the route name using the existing default ingress domain or to set a fully customixed url along with the necessary certificates for each OCP services via their custom resource.

      Open questions::

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

        1. Screenshot from 2021-08-12 09-41-24.png
          171 kB
          Li Yao
        2. Screenshot from 2021-08-12 09-41-24-1.png
          171 kB
          Li Yao

            slaskawi@redhat.com Sebastian Łaskawiec (Inactive)
            wlewis@redhat.com Wallace Lewis
            Li Yao Li Yao (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            16 Start watching this issue

              Created:
              Updated:
              Resolved: