Hot opensource news

Openshift 3 – Create my custom router/haproxy

Router in openshift is a simple docker haproxy image and can be customised. In order to learn how customise the router, we will add an ACL into haproxy config. The goal is to restrict the traffic through the router by allowing only a specific source ip.

router is a simple app created in openshift3. Client1 and client2 can access to the app via the router.

Customise the router image

Firt step is to get the haproxy configuration template (haproxy-config.template) from the openshift router upstream image (ose-haproxy-router). And then perform your changes.

docker run --rm --interactive=true --tty --entrypoint=cat haproxy-config.template > haproxy-config.template.modif

#Fix the right mod
chmod 777 haproxy-config.template.modif
get the haproxy-config.template config

Edit the template and add ACL to allow only taffic from (client1)

 vim haproxy-config.template.modif

frontend public
acl allowed_ip src
tcp-request connection reject if !allowed_ip

frontend public_ssl
acl allowed_ip src
tcp-request connection reject if !allowed_ip
Add acl into haproxy template

Lets do a new openshift router image from the upstream one and copy our new template inside.

ID=$(docker run -i -t -d
docker cp haproxy-config.template.modif $ID:/var/lib/haproxy/conf/haproxy-config.template
Upload config into docker image

To be able to push our custom image directly into the ose registry, we need to commit our image and apply a tag with the ose registry service ip (if you are not in the same network, you should use docker save and docker import)

Get the ose registry service ip

SVC_REGISTRY=$(oc get svc docker-registry --template "{{ .spec.portalIP }}")
get registry service ip

Commit the new image and tag with the ose registry service ip

docker commit $ID $SVC_REGISTRY:5000/openshift/ose-haproxy-routerv3.1.0.4_custom
docker commit new image

Push the router image

Next step is push the new image into the ose registry. You need an account with enough right to push into our wanted namespace. In our case we will push into the openshift namspace with a specific admin user (rcip-admin)

rcip-admin is our internal admin account, this is how we set the role admin on the openshift namespace to be able to push into it.

oc policy add-role-to-user cluster-admin rcip-admin -n openshift
add-role-to-user on openshift namespace

Now get the token to be able to log into the internal ose registry

oc login -u rcip-admin
TOKEN=$(oc whoami -t)
get the user token

Log into openshift OSE registry

docker login -u rcip-admin -e mail@bla -p $TOKEN  $SVC_REGISTRY:5000
docker login into ose registry

Push the custom commited image

docker push $SVC_REGISTRY:5000/openshift/ose-haproxy-routerv3.1.0.4_custom
docker push custom image

The custom router is uploaded, we can try to create the router in openshift

oadm router --default-cert=$CA/cloudapps.router.pem \
--credentials=$CA/openshift-router.kubeconfig \
--selector='region=infra'  --service-account=router \
create the router in openshift


Testing time

Ok, test to access on an already deployed app route. We expect client1 works and client2 sould be refused.

[root@client1 ~]# curl
<br />
<h1>Working !!!!</h1>
working test from client1

We are able to get our application from client1

[root@client2 ~]# curl
curl: (56) Recv failure: Connexion ré-initialisée par le correspondant
test rejected from client2

Client2 is correctly rejected by the custom router

talset on Githubtalset on Linkedin

, , ,

Leave a Reply

Your email address will not be published. Required fields are marked *