diff --git a/install_config/router/default_haproxy_router.adoc b/install_config/router/default_haproxy_router.adoc index e3dd9ba63b3c..ab3e5a253b5a 100644 --- a/install_config/router/default_haproxy_router.adoc +++ b/install_config/router/default_haproxy_router.adoc @@ -204,7 +204,7 @@ endif::[] During xref:../../install_config/install/advanced_install.adoc#install-config-install-advanced-install[advanced installation], -the `*openshift_hosted_router_selector*` and `*openshift_registry_selector*` +the `*openshift_router_selector*` and `*openshift_registry_selector*` Ansible settings are set to *region=infra* by default. The default router and registry will only be automatically deployed if a node exists that matches the *region=infra* label. @@ -446,43 +446,43 @@ corresponding to the `router=first` label. xref:../../architecture/networking/routes.html#router-sharding[_Router sharding_] uses xref:../../architecture/networking/routes.adoc#env-variables[`NAMESPACE_LABELS`] -and -xref:../../architecture/networking/routes.adoc#env-variables[`ROUTE_LABELS`], +and +xref:../../architecture/networking/routes.adoc#env-variables[`ROUTE_LABELS`], to filter router namespaces and routes. This enables you to partition routes amongst multiple router deployments effectively distributing the set of routes. -By default, a router selects all routes from all xref:../../architecture/core_concepts/projects_and_users.adoc#projects[projects (namespaces)]. -Sharding adds labels to routes and -each router shard selects routes with specific labels. +By default, a router selects all routes from all xref:../../architecture/core_concepts/projects_and_users.adoc#projects[projects (namespaces)]. +Sharding adds labels to routes and +each router shard selects routes with specific labels. [NOTE] ==== -The router service account -must have the [`cluster reader`] permission set to allow access to labels in other namespaces. +The router service account +must have the [`cluster reader`] permission set to allow access to labels in other namespaces. ==== *Router Sharding and DNS* -Because an external DNS server is needed to route requests to the desired shard, -the administrator is responsible for making a separate DNS entry -for each router in a project. A router will not forward unknown routes to another router. +Because an external DNS server is needed to route requests to the desired shard, +the administrator is responsible for making a separate DNS entry +for each router in a project. A router will not forward unknown routes to another router. -For example: +For example: -* If Router A lives on host 192.168.0.5 and has routes with `*.foo.com`. -* And Router B lives on host 192.168.1.9 and has routes with `*.example.com.` +* If Router A lives on host 192.168.0.5 and has routes with `*.foo.com`. +* And Router B lives on host 192.168.1.9 and has routes with `*.example.com.` Separate DNS entries must resolve `\*.foo.com` to the node hosting Router A and `*.example.com` to the node hosting Router B: -* `*.foo.com A IN 192.168.0.5` +* `*.foo.com A IN 192.168.0.5` * `*.example.com A IN 192.168.1.9` *Router Sharding Examples* -This section describes router sharding using xref:using-router-shards-namespace[project (namespace) labels] -or xref:using-router-shards-names[project (namespace) names]. +This section describes router sharding using xref:using-router-shards-namespace[project (namespace) labels] +or xref:using-router-shards-names[project (namespace) names]. [[using-router-shards-namespace]] .Router Sharding Based on Namespace Labels @@ -985,19 +985,19 @@ _a.cloudapps.example.com_ but not for _a.b.cloudapps.example.com_. To manually redeploy the router certificates: -. Check to see if a secret containing the default router certificate was added to the router: +. Check to see if a secret containing the default router certificate was added to the router: + ---- -$ oc volumes dc/router +$ oc volumes dc/router deploymentconfigs/router secret/router-certs as server-certificate mounted at /etc/pki/tls/private ---- + -If the certificate is added, skip the following step and overwrite the secret. +If the certificate is added, skip the following step and overwrite the secret. -. Make sure that you have a default certificate directory set for the following variable `DEFAULT_CERTIFICATE_DIR`: +. Make sure that you have a default certificate directory set for the following variable `DEFAULT_CERTIFICATE_DIR`: + ---- $ oc env dc/router --list @@ -1005,7 +1005,7 @@ $ oc env dc/router --list DEFAULT_CERTIFICATE_DIR=/etc/pki/tls/private ---- + -If not, create the directory using the following command: +If not, create the directory using the following command: + ---- $ oc env dc/router DEFAULT_CERTIFICATE_DIR=/etc/pki/tls/private @@ -1014,28 +1014,28 @@ $ oc env dc/router DEFAULT_CERTIFICATE_DIR=/etc/pki/tls/private . Export the certificate to PEM format: + ---- -$ cat custom-router.crt custom-ca.crt > custom-router.pem +$ cat custom-router.crt custom-ca.crt > custom-router.pem ---- -. Overwrite or create a router certificate secret: +. Overwrite or create a router certificate secret: + -If the certificate secret was added to the router, overwrite the secret. If not, create a new secret. +If the certificate secret was added to the router, overwrite the secret. If not, create a new secret. + To overwrite the secret, run the following command: + ----- +---- $ oc secrets new router-certs tls.crt=custom-router.crt tls.key=custom-router.key -o json --type='kubernetes.io/tls' --confirm | oc replace -f - ---- + To create a new secret, run the following commands: + ----- +---- $ oc secrets new router-certs tls.crt=custom-router.crt tls.key=custom-router.key --type='kubernetes.io/tls' --confirm $ oc volume dc/router --add --mount-path=/etc/pki/tls/private --secret-name='router-certs' --name router-certs ---- -. Deploy the router. +. Deploy the router. + ---- $ oc deploy router --latest