UrbanCode Deploy — Overriding Self Signed Certificates in OpenShift
I have been a long term fan of UrbanCode Deploy (UCD) and when I got the chance to work with my colleague Steve Arnold on deploying to OpenShift I jumped at the chance.
Steve had done all the heavy lifting of getting UCD deployed and you can see his work in the following links:
To get started you're going to need an openshift cluster running in the IBM cloud, and a client with oc installed…
If you're installing UrbanCode Deploy (UCD) onto IBMs Redhat Openshift Kuberbetes Service(ROKS), then you can use the…
Following this material allowed us to stand up a UCD environment really quickly but left me with a challenge. This challenge was that the presented route from OpenShift to the UCD pod was using the self signed certificate contained in the underlying UCD docker image. This meant that my browsers flagged issues when I tried to access the UCD web interface. ed
Fortunately this is a pretty trivial process as OpenShift routes provide a number of options for TLS termination. A simple one I have used in the past is the “Edge” but this relies on the inbound communication being HTTP which was not possible for the UCD configuration. Based on this I focused on “Re-encrypt”.
The “Re-encrypt” option allows certificates to be applied to the outward facing connection or if not provided the cluster routers default certificate is used. As the default certificate is signed with LetsEncrypt this was good enough for my purposes. The other key bit of information is the “Destination CA Certificate” for the self signed certificate being used within the UCD container. So I needed to figure out how to get this. Using Firefox I was able to view and download the PEM chain for the certificate. The following screen shots show this process.
With the certificate downloaded the next step was to create a new route.
To do this I accessed the ucd project in the OpenShift cluster and navigated to the “Routes” information under “Networking”. This showed the route created as part of Steve’s installation process.
Clicking on “Create Route” allows me to create a new route. I gave it a name “signed-cert” and selected the correct UCD service for the route to front.
Next I selected the port on the service which is used to present the Web interface (8443).
I then checked the “Secure route” box which opened up a set of more detailed options. The first I set was the “TLS Termination” which I set to “Re-encrypt”. As stated earlier this is the option which allows my to present a different outward facing certificate.
For the “Insecure Traffic” option I set “Redirect” which means that if I try to access the route over HTTP I will be redirected to HTTPS.
The last step was to provide the downloaded certificate chain for the self signed certificate. This is covered by the “Destination CA Certificate” section and clicking on “Browse” allows the required file to be selected.
Once the file has been selected the imported certificate will be displayed. Clicking on “Create” creates the new route.
Clicking on the “Location” link will open up the UCD Web UI via the newly defined route.
I am using Safari so clicking on the padlock allows me to access details about the certificate used to secure the page.
As you can see from the above the route is presenting a LetsEncrypt signed certificate rather than the internal self signed one.
Following these steps was pretty easy and the time to set up the new route was significantly quicker than the time it took me to write this post :-) Going forward I want to look at bringing my owned signed certificate but for now I have a working solution.
Finally a quick shout out to Mark Taylor who again helped clarify some points on OpenShift as I worked through this.