Set up Open Shift with custom certificate
Use this installation path when you deploy on OpenShift and you want to provide a dedicated frontend TLS certificate for this application.
In Custom mode:
- You create a backend TLS secret for TLS re-encryption between the OpenShift router and the application pod.
- You create a frontend TLS secret that the router presents to external clients.
Before you begin
- Complete the common setup steps from Set up FlashSystem.ai container.
- Confirm the project name, application name, and the secret names that you will use.
- Ensure that your chosen hostname resolves to the Route endpoint.
- Project:
flashsystem-app - Application name:
flashsystem-app - Backend TLS secret:
flashsystem-app-tls - Frontend TLS secret:
my-custom-frontend-cert
Installing TLS certificates
-
- Create the backend TLS secret
- The backend certificate secures traffic between the OpenShift router and the application pod.
This traffic stays inside the cluster. A self-signed certificate is sufficient. Set the certificate
common name (CN) to the in-cluster service DNS
name:
Choose one method.<appName>-service.<project>.svc.cluster.local- Method 1: Use the helper script
- Run the script from the chart
directory.
If you do not provide values, the script uses these defaults:./scripts/create-backend-cert.sh [namespace] [secret-name] [appname]- Namespace (project):
flashsystem-app - Secret name:
flashsystem-app-tls - App name:
flashsystem-app
- Namespace (project):
- Method 2: Create the secret manually with OpenSS
-
- Create a self-signed certificate
-
NAMESPACE="flashsystem-app" APPNAME="flashsystem-app" openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout tls.key -out tls.crt \ -subj "/CN=${APPNAME}-service.${NAMESPACE}.svc.cluster.local" - Create the OpenShift TLS secret
-
oc create secret tls flashsystem-app-tls \ --key=tls.key \ --cert=tls.crt \ -n flashsystem-app - Optional: Verify that the secret exists
-
oc get secret flashsystem-app-tls -n flashsystem-app
-
- Create the frontend TLS secret
- The frontend certificate is presented to users who connect to the application. Choose one method.
- Method 1: Use a certificate from your certificate authority (CA)
- Create the secret from your existing key and certificate
files.
oc create secret tls my-custom-frontend-cert \ --key=frontend.key \ --cert=frontend.crt \ -n flashsystem-app - Method 2: Create a self-signed certificate (testing only)
- Create this certificate only for non-production testing. Use a CA-issued certificate in production.
- Create the certificate. Include your chosen DNS name in the CN and SAN.
-
APPLICATION_DNS_NAME="<APPLICATION_DNS_NAME>" openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout frontend.key -out frontend.crt \ -subj "/CN=${APPLICATION_DNS_NAME}" \ -addext "subjectAltName = DNS:${APPLICATION_DNS_NAME}" - Create the OpenShift TLS secret
-
oc create secret tls my-custom-frontend-cert \ --key=frontend.key \ --cert=frontend.crt \ -n flashsystem-app - Optional: Verify that the secret exists
-
oc get secret my-custom-frontend-cert -n flashsystem-app
-
- Configure values.yaml
- Edit
values.yamland set the following fields.
Replace <APPLICATION_DNS_NAME> with your DNS name.namespace: create: false name: "flashsystem-app" appName: "flashsystem-app" imagePullSecrets: - name: icr-io platform: openshift route: enabled: true hosts: - host: "<APPLICATION_DNS_NAME>" certificates: certManager: enabled: false frontend: mode: "custom" secretName: "my-custom-frontend-cert" backend: mode: "manual" secretName: "flashsystem-app-tls"
-
- Install the Helm chart
- Install the chart in the target
project
helm install flashsystem-app . -f values.yaml -n flashsystem-app
-
- Verify the deployment
-
- Confirm that the release is installed
-
helm list -n flashsystem-app - Confirm that the Route resource exists
-
oc get route -n flashsystem-app - Confirm that the pods are running
-
oc get pods -n flashsystem-app