Run OpenShift console on port 443

One thing that I really like on OpenShift, is that it very often eat its own food. To my opinion, it is generally a sign of a good design, but that’s another story.
In this blog, I wanted to give a clue on how to make the OpenShift console run on port 443 by using the openshift-router facilities, service and endpoints. This could be very useful for example, if you do have some network setup preventing access to port 8443, which is often the case on corporate networks.

As a disclaimer, I want just to state that this is not (well for now) a production-proof design but, at least you can use it for demonstration purposes or simply to understand the way OpenShift external services works.

You will guess that the idea here, is to create an OpenShift external service pointing to the OpenShift master URL and then create a route that will be served by openshift-router to forward request to the OpenShift master itself. It this road, need to create and OpenShift Endpoint as stated by documentation.
And the final trick, is to change your masterPublicURL and master publicURL parameters in master-config.yaml OpenShift configuration to match the route’s URL.

Here is the configuration: You will need to get:
– Your master internal IP address
– A wildcard entry or DNS entry pointing to your openshift-router nodes (can also the be the master itself if you are running the router on master)
– That’s all

So, let’s assume the following settings:
My master’s domaine name is: pass.mycompany.com
My master’s internal IP address is: 192.168.1.1
My openshift-router runs on IP 50.50.50.50 and my DNS entry pass.mycompany.com points to it

So you need to create a Service:

apiVersion: v1
kind: Service
metadata:
  creationTimestamp: null
  labels:
  name: openshift-master
spec:
  ports:
  - name: 8443-tcp
    port: 8443
    protocol: TCP
    targetPort: 8443
  selector: {}
status:
  loadBalancer: {}

and create manually the corresponding Endpoint

apiVersion: v1
kind: Endpoints
metadata:
  creationTimestamp: null
  name: openshift-master
subsets:
- addresses:
  - ip: 192.168.1.1
  ports:
  - name: 8443-tcp
    port: 8443
    protocol: TCP

And then, you need a route with a host entry point to 50.50.50.50

apiVersion: v1
kind: Route
metadata:
  creationTimestamp: null
  name: openshift-master
spec:
  host: paas.mycompany.com
  port:
    targetPort: 8443
  to:
    kind: Service
    name: openshift-master
  tls:
    termination: passthrough
status:
  ingress: null

and the last point, is to modify your master-config.yaml to change any occurrences to masterPublicURL or publicURL to
https://paas.mycompany.com:443.
Keep in mind that the certificates that you have generated for the console must be valid for the host URL you are pointing to, and must update your corsAllowedOrigins to add the new domain you are pointing to.

apiLevels:
- v1
apiVersion: v1
assetConfig:
  extensionDevelopment: false
  extensionScripts: null
  extensionStylesheets: null
  extensions: null
  loggingPublicURL: ""
  logoutURL: ""
  masterPublicURL: https://paas.mycompany.com:443
  metricsPublicURL: https://paas.mycompany.com/hawkular/metrics
  publicURL: https://paas.mycompany.com:443/console/
  servingInfo:
    bindAddress: 0.0.0.0:8443
    bindNetwork: tcp4
    certFile: master.server.crt
    clientCA: ""
    keyFile: master.server.key
    maxRequestsInFlight: 0
    namedCertificates: null
    requestTimeoutSeconds: 0
controllerLeaseTTL: 0
controllers: '*'
corsAllowedOrigins:
- 127.0.0.1
- 50.50.50.50:8443
- localhost
- paas.mycompany.com
disabledFeatures: null
...

Et voilĂ !
Your OpenShift master console should now be available on port 443

7 thoughts on “Run OpenShift console on port 443

  1. This is interesting by taking advantage of router and forward to master endpoint.. But am not sure this is the right approach. if for any reason, router is down than your master also not reachable.

    instead of that can’t we run master directly on port 443? and than just create a DNS entry and point to master VIP?

    another approach is to use a simple load balancer and listen on 443 and forward traffic to all masters on port 8443. This approach make sense if you have multiple masters

    Srinivas Kotaru

    • Totally true, and what you are stating is indeed the right way to do it.

      As stated, I mainly use this setup for demo purposes, and it is presented to explain how external services can work.

      • Hi Akram, after changing “master-config.yaml”, we need to restart master or it will take new endpoint without that? I have tried following same steps in origin v 1..1.6 , but it doesnt listen in “https://:443” , is there something missing? any help would be much appreciated. Thanks in advance !

        • Hi Priya.

          sorry for the delay.
          It is indeed required to restart the master to take effect.
          I am was doing this on OpenShift Enterprise 3.0 but also on latest origin build, so I guess that it certainly works on origin 1.1.6

  2. Based on my testing you need to create the endpoint like this or it won’t work.

    apiVersion: v1
    kind: Endpoints
    metadata:
    creationTimestamp: null
    name: openshift-master
    subsets:
    – addresses:
    – ip:
    ports:
    – name: 8443-tcp
    port: 8443
    protocol: TCP

Leave a Reply

Your email address will not be published. Required fields are marked *