0

I have created an application with a route to it using OpenShift Origin. Now I want to make that route secure using TLS: I've already created routes with edge and passthrough. But now I want to create a route which is using Reencrypt.

Therefore I need to specify some certificates in my route:

apiVersion: v1
kind: Route
metadata:
  name: route-pt-secured
spec:
  host: www.example.com
  to:
    kind: Service
    name: service-name
  tls:
    termination: reencrypt        1
    key: [as in edge termination]
    certificate: [as in edge termination]
    caCertificate: [as in edge termination]
    destinationCaCertificate: |-  2
      -----BEGIN CERTIFICATE-----
      [...]
      -----END CERTIFICATE-----

It's very similar to edge termination. But there I don't have to describe a destinationCACertificate. I create my own certificate and key using keytool and convertion to pk12. After that I can see my certificate and key (openssl pkcs12) and copy them into my route.

Now is my problem that I don't really know what a destinationCACertificate is? Do I have to create it in the same way as I'm creating my normal key/certificate or do I have to read/create it somewhere else?

lvthillo
  • 28,263
  • 13
  • 94
  • 127

1 Answers1

0

The destinationCACertificate is the (optional) CA certificate that signed the serving cert of the TLS endpoint (a pod) the route is pointing at. The endpoint, being a pod, is likely a private IP (10.x.x.x), and most CAs won't sign an IP in the private IP ranges. Also, pods get created and deleted frequently (getting different IP addresses) so it's difficult to create a serving cert that has the pod IPs.

The destinationCACertificate is really a shared secret between the router and the pod - the router expects the destinationCACertificate to match the server cert, and that's only possible if you (the user) set the route up with it to match the pod(s) server cert.

Clayton
  • 3,281
  • 1
  • 18
  • 14