Cloud Experts Documentation

Add an Ingress Controller to an OSD GCP Cluster and optionally with a custom domain.

Last edited
Published
Authors
Kevin Collins
Tags: GCP OSD

This content is authored by Red Hat experts, but has not yet been tested on every supported configuration.

Starting with OpenShift 4.14, OSD GCP supports adding additional Ingress Controllers which can use used to configure a custom domain on a OSD GCP cluster without having to use the now deprecated Custom Domain Operator. This guide shows how to add an additional Ingress Controller ( public or private ) to a OSD GCP cluster and optionally also configuring a custom domain.

Prerequisites

  • A Red Hat OpenShift Dedicated on GCP (OSD GCP) cluster, version 4.14 or above
  • The oc CLI #logged in.

Set up environment

  1. Export few environment variables

Important: The variables below can be customized to fit your needs for your ingress controller.

export DOMAIN=example.com   #Custom Hosted Zone Domain for apps 
export DOMAIN_DASH=$(echo $DOMAIN | tr . -)
export EMAIL=you@domain.com   #Optional - your email address if you are generating your own certificate

CERT_NAME - this is the name of the tls secret for the domain of your ingress controller. This tls secret must be stored in the openshift-ingress namespace. If you are adding an additional Ingress Controller to the openshiftapps.com domain that comes with OSD GCP, use the name of the secret in the openshift-ingress namespace that has the naming format of (ID)-primary-cert-bundle-secret.

Optional: To create your own certificate, you can use certbot to create one.

certbot certonly --manual \
  --preferred-challenges=dns \
  --email $EMAIL \
  --server https://acme-v02.api.letsencrypt.org/directory \
  --agree-tos \
  --config-dir "./config" \
  --work-dir "./work" \
  --logs-dir "./logs" \
  -d "*.$DOMAIN"

The output of this command will show where your certificates are located.

Successfully received certificate.
Certificate is saved at: /Users/kevincollins/tmp/masconfig/config/live/kevin.mobb.cloud/fullchain.pem
Key is saved at:         /Users/kevincollins/tmp/masconfig/config/live/kevin.mobb.cloud/privkey.pem

Taking the values from the above command, create a certificate.

oc create secret tls ${DOMAIN_DASH}-tls-cert --key=/Users/kevincollins/tmp/masconfig/config/live/kevin.mobb.cloud/privkey.pem --cert=/Users/kevincollins/tmp/masconfig/config/live/kevin.mobb.cloud/fullchain.pem -n openshift-ingress

SCOPE - this will be the scope of the Network Load Balancer that will be provisioned. The scope can be either Internal for a private network load balancer or External for an Internet facing network load balancer.

export INGRESS_NAME=public-ingress #name of the new ingress controller
export CERT_NAME=${DOMAIN_DASH}-tls-cert
export SCOPE="External" 
export SCRATCH_DIR=/tmp/scratch
mkdir -p $SCRATCH_DIR

Create the Ingress Controller.

envsubst  <<EOF | oc apply -f -
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
  annotations:
    ingress.operator.openshift.io/auto-delete-load-balancer: "true"
  finalizers:
  - ingresscontroller.operator.openshift.io/finalizer-ingresscontroller
  generation: 2
  name: $INGRESS_NAME
  namespace: openshift-ingress-operator
spec:
  clientTLS:
    clientCA:
      name: ""
    clientCertificatePolicy: ""
  defaultCertificate:
    name: $CERT_NAME
  domain: $DOMAIN
  endpointPublishingStrategy:
    loadBalancer:
      dnsManagementPolicy: Unmanaged
      scope: $SCOPE
      providerParameters:
        type: GCP
    type: LoadBalancerService
  httpCompression: {}
  httpEmptyRequestsPolicy: Respond
  httpErrorCodePages:
    name: ""
  replicas: 2
  tuningOptions:
    reloadInterval: 0s
  unsupportedConfigOverrides: null
EOF

Describe the Ingress Controller to confirm it’s ready.

oc describe IngressController $INGRESS_NAME -n openshift-ingress-operator

You should see an output that mentions that the ingress controller is Admitted.

Normal   Admitted           2m16s  ingress_controller  ingresscontroller passed validation

Also verify the router pods of the new ingress controller are running

oc get pods -n openshift-ingress | grep $INGRESS_NAME

Expected output is two pods in a Running state.

router-public-7dd48fdcbb-bpdzc    1/1     Running   0          4m20s
router-public-7dd48fdcbb-cn7hb    1/1     Running   0          4m20s

Create a DNS entry for the new domain / network load balancer

Get the NLB environment variables:

LB_IP=$(oc get service -n openshift-ingress router-${INGRESS_NAME} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')

echo "LB_IP="${LB_IP}

Create an A name record in your DNS settings, pointing the domain to the IP address of the newly created public load balancer.

Example: DNS Settings

Test an application.

  1. Create a test applciation in a new namespace.

    oc new-project testapp
oc new-app --docker-image=docker.io/openshift/hello-openshift -n testapp

  2. Expose the test application Service.

    Let’s create a Route to expose the application from outside the cluster, and annotate the Route to give it a new Certificate.

    oc create route edge --service=hello-openshift testroute --hostname hello.$DOMAIN -n testapp

  3. Access the application Route.

    Open your browser to hello.$DOMAIN and you will see a secured web page that displays Hello OpenShift.

View Hello OpenShift

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

GitHub Edit this page
Red Hat logo LinkedIn YouTube Facebook Twitter

Products

Tools

Try, buy & sell

Communicate

About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now © 2023 Red Hat, Inc.