Skip to content

Secured Routes


In OpenShift, there are different types of routes in which you can expose your applications:

  • clear,
  • edge,
  • reencrypt, and
  • pass-through.

The clear route is insecure and doesn't require any certifications, as for the rest of the routes, they are encrypted on different levels and require certificates.

In this tutorial, you will learn how to create 3 types of routes for your applications: clear, edge and passthrough and you will learn the difference in creating each type of route.

Estimated Time

It will take you around 20 minutes to complete this tutorial.


Expose the Service

  • To view the service that we need to expose. Use the following command.
$ oc get svc
NAME         TYPE           CLUSTER-IP       EXTERNAL-IP      PORT(S)          AGE
helloworld   LoadBalancer   8080:31239/TCP   3h21m

Extract the SSL Cert Secret

Let's take a look at the secrets in openshift-ingress project. You will need a TLS secret that's generated for your cluster which is of type

$ oc get secrets -n openshift-ingress | grep
mycluster-roks46-2bef1f4b4097001da9502000c44fc2b2-0000                     2      21h
router-metrics-certs-default                                        2      21h

View the secret values in your command line, notice that the key and certificate pair are saved in PEM encoded files.

TLS_SECRET_NAME=<secret name from previous step>
oc extract secret/$TLS_SECRET_NAME -n openshift-ingress --to *


Create a directory tmp and save the secret in a temporary directory,

$ mkdir tmp
$ oc extract secret/$TLS_SECRET_NAME -n openshift-ingress --to=/tmp 

Create Edge Route

  • Create the edge route using the following command
oc create route edge --service helloworld --key ./tmp/tls.key --cert ./tmp/tls.crt

Get the route using the following command,

$ oc get route helloworld
NAME         HOST/PORT                                                                                                              PATH   SERVICES     PORT    TERMINATION   WILDCARD
helloworld          helloworld   <all>   edge          None

Retrieve the created host for the Route and the NodePort of the helloworld service,

ROUTE=$(oc get routes -n $MY_NS -o json | jq -r '.items[0]')
echo $ROUTE

NODE_PORT=$(oc get svc helloworld -n $MY_NS --output json | jq -r '.spec.ports[0].nodePort' )

Send a request to the Route host for your Service,

$ curl -L -X POST "http://$ROUTE:$NODE_PORT/api/messages" -H 'Content-Type: application/json' -d '{ "sender": "world6" }'
{"id":"0c064241-5cb9-4267-883e-ed98bcdb4a3a","sender":"world6","message":"Hello world6 (direct)","host":null}

Create Golang Application

In this section, you will be deploying a new application that you will be using for both passthrough and re-encrypt routes, then you will create a secret and mount it to the volume so you can create the routes.

Create the deployment config and service using oc create command.

$ oc create -f created
service/golang-https created

Create TLS secret using the same secret you extracted earlier.

$ oc create secret tls mycert --cert ./tmp/tls.crt --key ./tmp/tls.key
secret/mycert created

Mount the secret to your volume.

$ oc set volume dc/golang-https --add -t secret -m /go/src/app/certs --name cert --secret-name mycert volume updated

Create Passthrough Route

Create the passthrough route,

$ oc create route passthrough golang-https --service golang-https created

Get the URL,

$ oc get route golang-https
NAME           HOST/PORT                                                                                                                PATH   SERVICES       PORT    TERMINATION   WILDCARD
golang-https          golang-https   <all>   passthrough   None

Access the application,


View the certificate,



You can learn more using the following resources:


Next, go to Network Policy.