Lab 6.2 - Create a Secure Edge Route

1. Login as the developer user

oc login -u developer -p rahasia

2. Create the network-ingress project

oc new-project network-ingress

3. Create the deployment by image, which is the initial and unencrypted version of the application

oc create deployment todo-http --image
oc get pods -w

4. Expose the service for the deployment

oc expose deployment/todo-http --port 80 --target-port 8080

5. Run oc expose to create a route for accessing the application

oc expose svc todo-http \

6. Retrieve the name of the route and copy it to the clipboard

oc get routes
oc describe route todo-http

7. From laptop, open your browser and access

8. Run the oc create route command to define the new route. Give the route a host name of

oc create route edge todo-https \
 --service todo-http \
oc get routes

9. To test the route and read the certificate, open Firefox and access Upon first access, Firefox warns you about the certificate. Click Advanced, then Add Exception and then View Certificate to read the certificate.

10. Use curl to further confirm rejection of the certificate.

curl -k

11. One way to verify how the certificate is signed by OKD is to retrieve the CA that the ingress operator uses. This allows you to validate the edge certificate against the CA.

12. Log in to the cluster as the admin user

oc login -u admin -p rahasia

13. Run oc extract to retrieve the CA present in the openshift-ingressoperator namespace

cd /root
oc extract secrets/router-ca \
 --keys tls.crt -n openshift-ingress-operator

14. From the terminal, use curl to retrieve the connection headers. Use the --cacert option to pass the CA to CURL

curl -I -v \
 --cacert tls.crt

# The output indicates that Curl trusts the remote certificate, since it matches the CA.

15. Login back as the developer user

oc login -u developer -p rahasia

16. Retrieve the IP address of the todo-http service

oc get svc todo-http \
 -o jsonpath="{.spec.clusterIP}{'\n'}"

17. Create a debug pod in the todo-http deployment

oc debug -t deployment/todo-http \

18. From the debug pod, use curl to access the service over HTTP


# The output indicates that the application is available over HTTP

19. Exit the debug pod