Customizing the Platform UI (Zen) route

The ZenService CR spec contains a few parameters that control the Zen route. This document describes what those parameters are and how to set them. At any time before or after installation, you can modify the ZenService CR to trigger a Zen operator reconcile, so that the route can be changed even after installation.

The Zen route can be configured to be either reencrypt or passthrough. Customization depends heavily on which route type is chosen. See the customization instructions in the following sections based on the route type.

Reencrypt

When the Zen route is set to reencrypt, a TLS connection that is established from a client terminates at the OpenShift router. A second TLS connection is established from the router to the ibm-nginx pods. It is this second hop that requires packets to be “reencrypted”, which is where this routing type gets its name.

The following parameters show what must be set in the ZenService CR to configure a reencrypt route. After changing the values in the ZenService CR, in order for them to take effect, a full Zen operator reconcile will take place. To know whether the reconcile is complete, check the Status→ Progress field in the ZenService CR object. The Status→ Progress value will show as 100% after reconcile is complete.

zenDefaultIngressReencrypt: true
zenCustomRoute:
  route_host: <hostname> # OPTIONAL
  route_reencrypt: true
  route_secret: anything-but-external-tls-secret

The ZenService CR parameters relevant to a reencrypt connection are defined as follows:

Important: Key names for route_secret must use tls.crt, tls.key, and ca.crt. If any other names are used (for example, cert.crt, cert.key), the route does not apply the values. If any of the three values of tls.crt, tls.key or ca.crt are missing, the ibm-zen-operator ignores the secret, use the default ingress-controller certificate, and issue a WARNING.

Example create secret command:

oc create secret generic cpd-tls-secret --n ${PROJECT_CPD_INSTANCE}
--from-file=ca.crt=./<ca-certificate-file-name>
--from-file=tls.crt=./<tls-certificate-file-name>
--from-file=tls.key=./<tls-key-file-name>

Rotating the reencrypt certificate:

To rotate the Certificate that is used in a reencrypt route, the easiest way to force a reconcile of the Zen operator to accept the new Certificate is to create a new route_secret and update that in the ZenService CR. The updated ZenService CR triggers a Zen operator reconcile, which updates the route.

If the same secret is reused after the data values have been updated, there would be no noticeable change to the ZenService CR spec, which means that the Zen operator will not know to reconcile. If the same secret is being used, the Zen operator can still be triggered to reconcile by making changes to the ZenService CR for reconciliation.

For examples:

  1. Create a reencrypt route with a custom hostname.

    spec:
    zenCustomRoute:
      route_host: cloudpak.mycompany.com
      route_reencrypt: true
      route_secret: cpd-tls-secret
    
  2. Create a reencrypt route with a custom hostname, but accepting the default Ingress Controller certificate (that is, no custom route Certificate provided). This will only work if the Ingress Controller certificate has already been setup to protect the “cloudpak.mycompany.com” domain.

    spec:
    zenCustomRoute:
      route_host: cloudpak.mycompany.com
      route_reencrypt: true
    

Passthrough

The following parameters show what must be set in the ZenService CR to configure a passthrough route. After changing the values in the ZenService CR, in order for them to take effect, a full Zen operator reconcile will take place. To know whether the reconcile is complete, check the Status→ Progress field in the ZenService CR object. The Status→ Progress value will show as 100% after reconcile is complete.

spec:
  zenDefaultIngressReencrypt: false
  zenCustomRoute:
     route_host: <hostname> # OPTIONAL
     route_reencrypt: false

When the Zen route is set to passthrough, the Certificate presented to clients come from a secret named external-tls-secret, which is a hardcoded secret name that is known to the ibm-nginx pods.

The ZenService CR parameters relevant to a passthrough connection are defined as follows:

external-tls-secret

Example create external-tls-secret command:

oc create secret generic external-tls-secret --n ${PROJECT_CPD_INSTANCE}
--from-file=cert.crt=./<ca-certificate-file-name>
--from-file=cert.key=./<tls-certificate-file-name>

Rotating the passthrough Certificate

To rotate the Certificate used in a passthrough route, you must manually update the external-tls-secret. Then restart the ibm-nginx pods by running the following command:

oc delete pods -l=component=ibm-nginx

For examples:

Create a passthrough route with the custom hostname cloudpak.mycompany.com (where cloudpak.mycompany.com should be the domain that is protected by the cert.crt inside external-tls-secret).

Note: When configuring for a passthrough route you must also set another spec value that is named, zenDefaultIngressReencrypt to false.

spec:
  zenDefaultIngressReencrypt: false
  zenCustomRoute:
     route_host: cloudpak.mycompany.com
     route_reencrypt: false