This repository will deploy http servers at the following two URLs:
The services are exposed through routes that are managed by the external-apps IngressController. The routes are selected by the external ingress controller because they have the label nerc.mghpcc.org/external-ingress: "true"; this matches the routeSelector in the IngressController resource:
routeSelector:
matchLabels:
nerc.mghpcc.org/external-ingress: "true"
Due to the way in which the IngressController behaves, routes matching the external ingress service must specify an explicit fully qualified domain name in the host option, for example:
apiVersion: route.openshift.io/v1
kind: Route
metadata:
labels:
nerc.mghpcc.org/external-ingress: "true"
name: external-ingress-demo-example1
namespace: external-ingress-demo
spec:
host: demo-example1.apps.shift.nerc.mghpcc.org
port:
targetPort: http
tls:
insecureEdgeTerminationPolicy: Redirect
termination: edge
to:
kind: Service
name: external-ingress-demo-example1
The IngressController presents a TLS certificate generated by LetsEncrypt (and managed by cert-manager) for *.apps.shift.nerc.mghpcc.org. Any hostnames in this domain can use edge encryption; routes using other domain name will need to provide custom TLS certificates.
The Ingress service is exposed on a public address by the MetalLB load balancer. The Ingress controller creates a service which we patch with (a) an annotation specifying the address pool from which it should allocate addresses and (b) a loadBalancerIP describing the specific address we want:
apiVersion: v1
kind: Service
metadata:
annotations:
metallb.universe.tf/address-pool: public
[...]
name: router-external-apps
namespace: openshift-ingress
spec:
[...]
loadBalancerIP: 199.94.61.6
type: LoadBalancer