Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
Chapter 1. Deployments
1.1. Custom domains for applications
Starting with Red Hat OpenShift Service on AWS 4.14, the Custom Domain Operator is deprecated. To manage Ingress in Red Hat OpenShift Service on AWS 4.14, use the Ingress Operator. The functionality is unchanged for Red Hat OpenShift Service on AWS 4.13 and earlier versions.
You can configure a custom domain for your applications. Custom domains are specific wildcard domains that can be used with Red Hat OpenShift Service on AWS applications.
1.1.1. Configuring custom domains for applications
The top-level domains (TLDs) are owned by the customer that is operating the Red Hat OpenShift Service on AWS cluster. The Custom Domains Operator sets up a new ingress controller with a custom certificate as a second day operation. The public DNS record for this ingress controller can then be used by an external DNS to create a wildcard CNAME record for use with a custom domain.
Custom API domains are not supported because Red Hat controls the API domain. However, customers can change their application domains. For private custom domains with a private IngressController, set .spec.scope to Internal in the CustomDomain CR.
Prerequisites
-
A user account with
dedicated-adminprivileges -
A unique domain or wildcard domain, such as
*.apps.<company_name>.io -
A custom certificate or wildcard custom certificate, such as
CN=*.apps.<company_name>.io -
Access to a cluster with the latest version of the
ocCLI installed
Do not use the reserved names default or apps*, such as apps or apps2, in the metadata/name: section of the CustomDomain CR.
Procedure
Create a new TLS secret from a private key and a public certificate, where
fullchain.pemandprivkey.pemare your public or private wildcard certificates.Example
$ oc create secret tls <name>-tls --cert=fullchain.pem --key=privkey.pem -n <my_project>Create a new
CustomDomaincustom resource (CR):Example
<company_name>-custom-domain.yamlapiVersion: managed.openshift.io/v1alpha1 kind: CustomDomain metadata: name: <company_name> spec: domain: apps.<company_name>.io1 scope: External loadBalancerType: Classic2 certificate: name: <name>-tls3 namespace: <my_project> routeSelector:4 matchLabels: route: acme namespaceSelector:5 matchLabels: type: sharded- 1
- The custom domain.
- 2
- The type of load balancer for your custom domain. This type can be the default
classicorNLBif you use a network load balancer. - 3
- The secret created in the previous step.
- 4
- Optional: Filters the set of routes serviced by the CustomDomain ingress. If no value is provided, the default is no filtering.
- 5
- Optional: Filters the set of namespaces serviced by the CustomDomain ingress. If no value is provided, the default is no filtering.
Apply the CR:
Example
$ oc apply -f <company_name>-custom-domain.yamlGet the status of your newly created CR:
$ oc get customdomainsExample output
NAME ENDPOINT DOMAIN STATUS <company_name> xxrywp.<company_name>.cluster-01.opln.s1.openshiftapps.com *.apps.<company_name>.io ReadyUsing the endpoint value, add a new wildcard CNAME recordset to your managed DNS provider, such as Route53.
Example
*.apps.<company_name>.io -> xxrywp.<company_name>.cluster-01.opln.s1.openshiftapps.comCreate a new application and expose it:
Example
$ oc new-app --docker-image=docker.io/openshift/hello-openshift -n my-project$ oc create route <route_name> --service=hello-openshift hello-openshift-tls --hostname hello-openshift-tls-my-project.apps.<company_name>.io -n my-project$ oc get route -n my-project$ curl https://hello-openshift-tls-my-project.apps.<company_name>.io Hello OpenShift!
1.1.2. Renewing a certificate for custom domains
You can renew certificates with the Custom Domains Operator (CDO) by using the oc CLI tool.
Prerequisites
-
You have the latest version
ocCLI tool installed.
Procedure
Create new secret
$ oc create secret tls <secret-new> --cert=fullchain.pem --key=privkey.pem -n <my_project>Patch CustomDomain CR
$ oc patch customdomain <company_name> --type='merge' -p '{"spec":{"certificate":{"name":"<secret-new>"}}}'Delete old secret
$ oc delete secret <secret-old> -n <my_project>
Troubleshooting
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}