Routes#
OpenShift clusters use Routers
as the Ingress Controller
.
Here are the fields used by Pulp operator to configure Routes
in OpenShift clusters:
ingress_type
must be defined asroute
, so that the operator knows that it needs to provision theroute paths
route_host
[optional] this will be the hostname where Pulp can be accessed. If not defined, Pulp operator will define one based on default ingress domain name.route_labels
[optional] a map of the labels that can be used byrouteSelector
. If not defined Pulp operator will createRoutes
that will use the defaultRouters
.
For more information about routeSelector
and route sharding
, please consult the official OpenShift documentation.
Configuring custom certificate#
By default, Pulp Operator will provision Routes
with edge TLS termination (TLS encryption terminates on Route
).
It is possible to configure the operator to deploy the Routes
using a custom certificate.
To do that, first create a Secret
with the TLS certificate and key:
$ oc create secret generic <my-new-secret> --from-file=certificate=<cert file> --from-file=key=<key file>
For example:
$ oc create secret generic route-certs --from-file=certificate=/tmp/tls.crt --from-file=key=/tmp/tls.key
You may also specify a CA certificate if needed to complete the certificate chain:
$ oc create secret generic route-certs --from-file=certificate=/tmp/tls.crt --from-file=key=/tmp/tls.key --from-file=caCertificate=/tmp/ca.crt
Warning
Make sure to not modify the names of Secrets
' keys: "certificate","key","caCertificate".
Using different key names will fail Route
TLS config.
Now, configure Pulp CR with the Secret
created:
...
spec:
route_tls_secret: <my-new-secret>
...
A new reconciliation loop will be triggered and the certificate will be configured in all Routes
.