Lab 6.2 - Create a Secure Edge Route

1. Login as the developer user

oc login -u developer -p rahasia https://api.openshift.podX.io:6443

2. Create the network-ingress project

oc new-project network-ingress

3. Create the deployment by image quay.io/redhattraining/todo-angular:v1.1, which is the initial and unencrypted version of the application

oc create deployment todo-http --image quay.io/redhattraining/todo-angular:v1.1
oc get pods -w

4. Expose the service for the deployment

oc expose deployment/todo-http --port 80 --target-port 8080

5. Run oc expose to create a route for accessing the application

oc expose svc todo-http \
 --hostname todo-http.apps.openshift.podX.io

6. Retrieve the name of the route and copy it to the clipboard

oc get routes
oc describe route todo-http

7. From laptop, open your browser and access http://todo-http.apps.openshift.podX.io/

8. Run the oc create route command to define the new route. Give the route a host name of todo-https.apps.openshift.podX.io.

oc create route edge todo-https \
 --service todo-http \
 --hostname todo-https.apps.openshift.podX.io
oc get routes

9. To test the route and read the certificate, open Firefox and access https://todo-https.apps.openshift.podX.io. Upon first access, Firefox warns you about the certificate. Click Advanced, then Add Exception and then View Certificate to read the certificate.

10. Use curl to further confirm rejection of the certificate.

curl https://todo-https.apps.openshift.podX.io
curl -k https://todo-https.apps.openshift.podX.io

11. One way to verify how the certificate is signed by OKD is to retrieve the CA that the ingress operator uses. This allows you to validate the edge certificate against the CA.

12. Log in to the cluster as the admin user

oc login -u admin -p rahasia https://api.openshift.podX.io:6443

13. Run oc extract to retrieve the CA present in the openshift-ingressoperator namespace

cd /root
oc extract secrets/router-ca \
 --keys tls.crt -n openshift-ingress-operator

14. From the terminal, use curl to retrieve the connection headers. Use the --cacert option to pass the CA to CURL

curl -I -v \
 --cacert tls.crt https://todo-https.apps.openshift.podX.io/

# The output indicates that Curl trusts the remote certificate, since it matches the CA.

15. Login back as the developer user

oc login -u developer -p rahasia https://api.openshift.podX.io:6443

16. Retrieve the IP address of the todo-http service

oc get svc todo-http \
 -o jsonpath="{.spec.clusterIP}{'\n'}"

17. Create a debug pod in the todo-http deployment

oc debug -t deployment/todo-http \
 --image registry.access.redhat.com/ubi8/ubi:8.0

18. From the debug pod, use curl to access the service over HTTP

curl 172.30.29.102

# The output indicates that the application is available over HTTP

19. Exit the debug pod

exit

Daftar Materi