Route Options and Route Types

Routes can be either secured or unsecured. Secure routes provide the ability to use several types of TLS termination to serve certificates to the client. Unsecured routes are the simplest to configure because they require no key or certificates, but secured routes encrypt traffic to and from the pods.

A secured route specifies the TLS termination of the route. The available types of termination are presented in the following list.

OKD Secure Routes


With edge termination, TLS termination occurs at the router, before the traffic is routed to the pods. The router serves the TLS certificates, so you must configure them into the route; otherwise, OKD assigns its own certificate to the router for TLS termination.

Because TLS is terminated at the router, connections from the router to the endpoints over the internal network are not encrypted.


With pass-through termination, encrypted traffic is sent straight to the destination pod without the router providing TLS termination. In this mode, the application is responsible for serving certificates for the traffic. This is currently the only method that supports mutual authentication between the application and a client that accesses it.


Re-encryption is a variation on edge termination, whereby the router terminates TLS with a certificate, and then re-encrypts its connection to the endpoint, which might have a different certificate.

Therefore, the full path of the connection is encrypted, even over the internal network. The router uses health checks to determine the authenticity of the host.