summaryrefslogtreecommitdiffstats
path: root/docs/webservices.txt
blob: f535d46bd1146ffb229c3c068b92fb702e2e49a7 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
Architecture
============
 - The users are not directly connected to the services running in OpenShift. There is always
 load-balancing HAProxy sitting in between. There is several implications:
    * The service will get request from HAProxy IP. I.e. IP-based authentication is not possible
    anymore.
    * If multiple service replicas running, by default HAProxy will distribute request in round-robin
    fashion. I.e. request from the user will be served by different replicas. If we have several running
    datbases which are not completely in sync, the user may get confusing changing data. This can be fixed
    by setting 'haproxy.router.openshift.io/balance' to 'source' in route metadata. Then, the destination
    replica will be determined based on the client IP.
    * HAProxy has configured a default timeout. If replica does not send data within '30s' the connection
    will be terminated. It can be increased with 'haproxy.router.openshift.io/timeout'
    * There is a several ways to configure certiciates for HTTPS services defined by type of tls termination
    in the route specification. With 'passthrough' the container is expected to handle certificates itself.
    In the edge termination mode, the certificates are configured in the route and HAProxy manages secure
    communication with clients and provides unencrypted data to the service in the cluster.


Updating/Generating certificates for the router
===============================================
 - Generating key & csr request
        openssl genrsa -out kaas.key 4096
        openssl req -new -key kaas.key -sha256 -nodes -out kaas.csr -config <(
        cat <<-EOF
        [ req ]
        default_bits = 4096
        req_extensions = req_ext
        ...
        
        [ dn ]
        CN=kaas.kit.edu
        ...

        [ req_ext ]
        subjectAltName = @alt_names

        [ alt_names ]
        DNS.1 = kaas.kit.edu
        DNS.2 = *.kaas.kit.edu
        EOF
        )
 - Installing
    * Two files are needed.
        1) Secret Key
        2) PEM file containing both certificate and secret key. No CA certificate is needed (at least if our
        certifcate is signed by known CA)
    * New 'router-certs' secret should be created in 'default' namespace. Probably it is better to 
    modify existing secret than delete/create. However, the strings can't just be copied. Easiest way 
    is to create a new secret in temporary namespace:
        oc -n test secrets new router-certs tls.crt=kaas.pem tls.key=kaas.key
    and then copy 'tls.crt' and 'tls.key' values over.
    * To reload secret, the 'router' pods should be deleted (and automatically re-created by rc).