8 01 2016

Router in openshift is a simple docker haproxy image and can be customised. In order to learn how customise the router, we will add an ACL into haproxy config. The goal is to restrict the traffic through the router by allowing only a specific source ip.

test.openshift.readme.fr is a simple app created in openshift3. Client1 and client2 can access to the app via the router.

Customise the router image

Firt step is to get the haproxy configuration template (haproxy-config.template) from the openshift router upstream image (ose-haproxy-router). And then perform your changes.

docker run --rm --interactive=true --tty --entrypoint=cat registry.access.redhat.com/openshift3/ose-haproxy-router:v3.1.0.4 haproxy-config.template > haproxy-config.template.modif

#Fix the right mod
chmod 777 haproxy-config.template.modif

Edit the template and add ACL to allow only taffic from 192.168.100.7 (client1)

 vim haproxy-config.template.modif

frontend public
...
acl allowed_ip src 192.168.100.7
tcp-request connection reject if !allowed_ip

frontend public_ssl
...
acl allowed_ip src 192.168.100.7
tcp-request connection reject if !allowed_ip

ID=$(docker run -i -t -d registry.access.redhat.com/openshift3/ose-haproxy-router:v3.1.0.4)
docker cp haproxy-config.template.modif $ID:/var/lib/haproxy/conf/haproxy-config.template

To be able to push our custom image directly into the ose registry, we need to commit our image and apply a tag with the ose registry service ip (if you are not in the same network, you should use docker save and docker import)

Get the ose registry service ip

SVC_REGISTRY=$(oc get svc docker-registry --template "{{ .spec.portalIP }}")

docker commit $ID $SVC_REGISTRY:5000/openshift/ose-haproxy-routerv3.1.0.4_custom

Push the router image

Next step is push the new image into the ose registry. You need an account with enough right to push into our wanted namespace. In our case we will push into the openshift namspace with a specific admin user (rcip-admin)

rcip-admin is our internal admin account, this is how we set the role admin on the openshift namespace to be able to push into it.

oc policy add-role-to-user cluster-admin rcip-admin -n openshift

Now get the token to be able to log into the internal ose registry

oc login -u rcip-admin
TOKEN=$(oc whoami -t)

Log into openshift OSE registry

docker login -u rcip-admin -e mail@bla -p $TOKEN  $SVC_REGISTRY:5000

Push the custom commited image

docker push $SVC_REGISTRY:5000/openshift/ose-haproxy-routerv3.1.0.4_custom

The custom router is uploaded, we can try to create the router in openshift

CA=/etc/origin/master
oadm router --default-cert=$CA/cloudapps.router.pem \
--credentials=$CA/openshift-router.kubeconfig \
--selector='region=infra'  --service-account=router \
--images="$SVC_REGISTRY:5000/openshift/ose-haproxy-routerv3.1.0.4_custom"

Testing time

Ok, test to access on an already deployed app test.openshift.readme.fr route. We expect client1 works and client2 sould be refused.

[root@client1 ~]# curl test.openshift.readme.fr
<html><body>
<br />
<h1>Working !!!!</h1>
<p>
</body></html>

We are able to get our application from client1

[root@client2 ~]# curl test.openshift.readme.fr
curl: (56) Recv failure: Connexion ré-initialisée par le correspondant

Client2 is correctly rejected by the custom router

talset

docker, haproxy, network, openshift3

Decode EXIF from a raw photo Openshift registry on Amazon S3