"Customizing the web console URL" doesn't work

16 views
Skip to first unread message

Eduardo Lúcio Amorim Costa

unread,
Jun 29, 2021, 10:19:46 PMJun 29
to okd-wg

This question was originally posted here: "Customizing the web console URL" doesn't work .

I really need help with this problem. So I really appreciate anyone who can help me.

 > ----------------------------------------------------------------------------

Below is the complete procedure for "Customizing the web console URL", ie accessing the Web Console from a different domain than the cluster's internal domain (which the cluster has been installed).

NOTE: This "extra" domain is normally used for external access to the cluster.

Customizing the web console URL

 > --------------------------------------

Customizing the web console URL

You can update the web console URL, consoleURL, to a custom value.

Procedure

Modify the cluster instance created by default during installation in the consoles.operator.openshift.io custom resource:

```
$ oc patch consoles.operator.openshift.io cluster --patch '{"spec":{"route":{"hostname":"console.example.com"}}}' --type=merge
```

```
kind: Console
metadata:
  name: cluster
spec:
  route:
    hostname: 'console.example.com'
```
 < --------------------------------------

 > --------------------------------------

PROBLEM:

The above procedure is clearly insufficient to allow external access to the Web Console from a different domain ("external") URL.

We've done lots and lots of tests for over 12 hours and we always come up with a web page that says...

"Application is not available"

... when we try to access the Web Console from a different domain ("external") URL.

 < --------------------------------------

 > --------------------------------------

THE REAL CASE:

We can access the Web Console normally through the URL https://console-openshift-console.apps.mbr.okd.local which uses the domain okd.local with which the cluster has been installed.

However if we try to access the "Web Console" from the new URL https://console-openshift-console.apps.mbr.brlight.net which uses the domain brlight.net the error Application is not available is reported on the web page.

 < --------------------------------------

 > --------------------------------------

PROCEDURES PERFORMED:

Inform the new domain to be consumed by the Web Console...

```
oc patch consoles.operator.openshift.io cluster --type merge --patch '{"spec":{"route":{"hostname":"console.brlight.net"}}}'
```

Configure a new DNS zone (BIND 9) in the /etc/named/named.conf.local file...

```
zone "okd.local" {
    type master;
    file "/etc/named/zones/db.okd.local"; // Zone file path.
};

zone "0.3.10.in-addr.arpa" {
    type master;
    file "/etc/named/zones/db.10.3.0"; // 10.3.0.0/24 subnet.
};

zone "brlight.net" {
    type master;
    file "/etc/named/zones/fw.brlight.net"; // Zone file path.
};
```

... and in the _/etc/named/zones/fw.brlight.net_ file...

```
$TTL    604800
        1       ; Serial
        604800  ; Refresh
        86400   ; Retry
        2419200 ; Expire
        604800  ; Negative Cache TTL
)

; Name servers - "NS" records.
    IN  NS  okd4-services

; Name servers - "A" records.

; OpenShift container platform cluster - "A" records.
okd4-bootstrap.mbr.brlight.net. IN  A   10.3.0.4
okd4-compute-1.mbr.brlight.net. IN  A   10.3.0.8
okd4-compute-2.mbr.brlight.net. IN  A   10.3.0.9

; Openshift internal cluster IPs - "A" records.
api.mbr.brlight.net.              IN  A   10.3.0.14
api-int.mbr.brlight.net.          IN  A   10.3.0.14
*.apps.mbr.brlight.net.           IN  A   10.3.0.14
etcd-0.mbr.brlight.net.           IN  A   10.3.0.5
etcd-1.mbr.brlight.net.           IN  A   10.3.0.6
etcd-2.mbr.brlight.net.           IN  A   10.3.0.7
oauth-openshift.apps.mbr.brlight.net.   IN  A   10.3.0.14

; OpenShift internal cluster IPs - "SRV" records.
_etcd-server-ssl._tcp.mbr.brlight.net.    86400   IN  SRV 0   10  2380    etcd-0.mbr
_etcd-server-ssl._tcp.mbr.brlight.net.    86400   IN  SRV 0   10  2380    etcd-1.mbr
_etcd-server-ssl._tcp.mbr.brlight.net.    86400   IN  SRV 0   10  2380    etcd-2.mbr
```

The load balancer configuration (HAProxy) was kept as it was...

```
#---------------------------------------------------------------------
# Global settings.
#---------------------------------------------------------------------
global
    maxconn 20000
    log /dev/log local0 info
    chroot /var/lib/haproxy
    pidfile /var/run/haproxy.pid
    user haproxy
    group haproxy
    daemon

    # Turn on stats unix socket.
    stats socket /var/lib/haproxy/stats

#---------------------------------------------------------------------
# Common defaults that all the "listen" and "backend" sections will use if not designated
# in their block.
#---------------------------------------------------------------------
defaults
    log global
    maxconn 20000
    mode http
    option dontlognull
    option http-server-close
    option httplog
    option redispatch
    retries 3
    timeout check 10s
    timeout client 300s
    timeout connect 10s
    timeout http-keep-alive 10s
    timeout http-request 10s
    timeout queue 1m
    timeout server 300s

listen stats
    bind :9000
    mode http
    option forwardfor except 127.0.0.0/8
    stats enable
    stats uri /

frontend okd4_k8s_api_fe
    bind :6443
    default_backend okd4_k8s_api_be
    mode tcp
    option tcplog

backend okd4_k8s_api_be
    balance roundrobin
    mode tcp
    # server okd4-bootstrap 10.3.0.4:6443 check
    server okd4-control-plane-1 10.3.0.5:6443 check
    server okd4-control-plane-2 10.3.0.6:6443 check
    server okd4-control-plane-3 10.3.0.7:6443 check

frontend okd4_machine_config_server_fe
    bind :22623
    default_backend okd4_machine_config_server_be
    mode tcp
    option tcplog

backend okd4_machine_config_server_be
    balance roundrobin
    mode tcp
    # server okd4-bootstrap 10.3.0.4:22623 check
    server okd4-control-plane-1 10.3.0.5:22623 check
    server okd4-control-plane-2 10.3.0.6:22623 check
    server okd4-control-plane-3 10.3.0.7:22623 check

frontend okd4_http_ingress_traffic_fe
    bind *:80
    default_backend okd4_http_ingress_traffic_be
    mode tcp
    option tcplog

backend okd4_http_ingress_traffic_be
    balance roundrobin
    mode tcp
    server okd4-compute-1 10.3.0.8:80 check
    server okd4-compute-2 10.3.0.9:80 check

frontend okd4_https_ingress_traffic_fe
    bind *:443
    default_backend okd4_https_ingress_traffic_be
    mode tcp
    option tcplog

backend okd4_https_ingress_traffic_be
    balance roundrobin
    mode tcp
    server okd4-compute-1 10.3.0.8:443 check
    server okd4-compute-2 10.3.0.9:443 check
```

 < --------------------------------------

 > --------------------------------------

QUESTION: What was missing?

Thanks in advance! =D

 < ----------------------------------------------------------------------------


Reply all
Reply to author
Forward
0 new messages