Configuring a passthrough Ingress route for OpenShift

In OpenShift, an Ingress Operator allows the external traffic to access the services within a cluster by deploying and managing a HAProxy-based Ingress controller that handles routing. Passthrough routes deployed within the cluster offer end-to-end encryption options along with enhanced security. You must configure a passthrough route to send external traffic to an NGINX Ingress Controller that is within the cluster and is not exposed.

Important

This configuration is applicable in environments where a load balancer (such as HAProxy) is not used between the OpenShift platform and external access. It is intended for scenarios where organizational or operational requirements restrict the use of an Ingress controller (such as NGINX) exposed via NodePort or LoadBalancer service types. In such cases, configuring a passthrough Ingress route provides an alternative method to expose services securely.

Where possible, using an Ingress controller with a LoadBalancer service type is the recommended and supported best practice for production environments.

Best practice
 

It is important to note that not all networking architectures provide the same level of quality and performance. For routing on-premises BMC Helix traffic into your cluster, it's recommended to use an external load balancer that directs to either a Kubernetes load balancer service or a Nodeport service, which in turn directs the traffic to the NGINX Ingress controller. When other approaches are not feasible, pass-through routing from the OpenShift routes controller to the NGINX Ingress controller is considered the best alternative.

For more information, see LoadBalancerand NodePortin the Kubernetes documentation.

To learn about MetalLB, a bare-metal Kubernetes cluster load balancer implementation, see About MetalLB and MetalLB Operatorin the RedHat documentation.

Use the information in this topic to configure a passthrough route so that the network traffic from HAProxy is routed to the cluster's NGINX Ingress Controller.

Perform the following steps to create the passthrough route:

  1. Create a route admission policy.
  2. Add wildcard route to NGINX Ingress namespace.
  3. Verify the route configuration.

Related topics

Deploying and configuring the ingress controller for OpenShift or Kubernetes.

image-2023-8-8_14-50-27-1.png

To create a route admission policy

A cluster administrator must create a route admission policy to permit the HAProxy to route network traffic to the NGINX Ingress Controller within the cluster.

  1. Create a file named route-admission-patch.yml in the current working directory with the following content:

    Add the wildcardPolicy and namespaceOwnership elements in the route-admission-patch.yml file and set their values as shown in the code block:

    #route-admission-patch.yml
    spec:
     routeAdmission:
    wildcardPolicy: WildcardsAllowed
    namespaceOwnership: InterNamespaceAllowed

  2. To apply the route admission policy changes, run the following commands:

    oc project openshift-ingress-operator   
    oc patch IngressController default --patch-file <path to route-admission-patch.yml> --type merge

To add a wildcard route to the Nginx Ingress namespace

  1. Create a file named bmc-route.yml in the current working directory with the following content:

    Important

    The term wildcard is used instead of the “*” to represent the subdomain, as “*” symbol is not permitted in OpenShift configuration.

    • For HTTPS traffic, add the following values in the bmc-route.yml file:

      #bmc-route.yml
      apiVersion: route.openshift.io/v1
      kind: Route
      metadata:
        name: passthrough-bmc
      spec:
       host: wildcard.<Domain>
        wildcardPolicy: Subdomain
        port:
          targetPort: 443
        tls:
         termination: passthrough
          insecureEdgeTerminationPolicy: None
       to:
          kind: Service
          name: ingress-nginx-controller

    •  For HTTP traffic, add the following values in bmc-route.yml file:

      #bmc-route.yml
      apiVersion: route.openshift.io/v1
      kind: Route
      metadata:
        name: passthrough-bmc
      spec:
       host: wildcard.<Domain>
        wildcardPolicy: Subdomain
        port:
          targetPort: 80
        tls:
         termination: edge
          insecureEdgeTerminationPolicy: Allow
       to:
          kind: Service
          name: ingress-nginx-controller

      Where <Domain> is the domain of the load balancer.
      For example, if your URL is *.<tenant_name>-<env>-<tenant_type>.acme.bmc.com, then you must set the host field as wildcard.<tenant_name>-<env>-<tenant_type>.acme.bmc.com, and any subdomain before it would be captured as the wildcard.
       

  2. To apply the changes that you made in the bmc-route.yml file, run the following commands:

    oc project ingress-nginx
    oc create -f <path to bmc-route.yml>

To verify the route configuration

To display the manifest in a yaml format, run the following commands: 

oc project ingress-nginx
oc get routes -o yaml passthrough-bmc

The manifest is displayed in a yaml format. The contents of this yaml file will match with the contents of the bmc-route.yml file if you have configured the routes correctly.

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*