-
Feature Request
-
Resolution: Done
-
Normal
-
None
-
False
-
False
-
OCPPLAN-6007 - OpenShift Core Networking Improvements
-
-
-
-
Proposed title of this feature request
Annotate the ingress to create the route with the spec.tls.insecureEdgeTerminationPolicy set to Allow
What is the nature and description of the request?
If I understand case description and customer response correctly, they want an annotation in the ingress to create the route with the spec.tls.insecureEdgeTerminationPolicy set to Allow.
I believe you can already add an annotation to the Ingress resource to have OpenShift create a route with adjusted termination, like so:?
annotations:
route.openshift.io/termination: "reencrypt"
Was hoping insecureEdgeTerminationPolicy would be another
Why does the customer need this? (List the business requirements here)
We use native kubernetes Ingress resources to expose traffic to our OpenShift services.
We do this as Ingress resources have the ability to reference a secret for its tls certs instead of including the tls information directly in the route.
When we create an ingress, OpenShift automatically creates a corresponding Route, configured based off of the Ingress resource we create.
This works great and we are following the steps defined here:
However, when the route is created with TLS data from the ingress resource, the Route will always have the spec.tls.insecureEdgeTerminationPolicy set to Redirect, which prevents requests over port 80 from succeeding.
Is it possible to define a label or attribute or through some other means, force openshift to create these corresponding Route resources with spec.tls.insecureEdgeTerminationPolicy set to Allow?
This is to allow cert-manager http01 requests to succeed when certs need to be renewed for a host/domain the ingress resource is already setup for. Requests from cert-manager come over port 80 so having those redirect to 443 breaks cert renewal.
- is cloned by
-
OCPSTRAT-1362 Support ingress annotation to create a route with spec.tls.insecureEdgeTerminationPolicy set to Allow
- Backlog