Exposing secure route to Presto server

Secure routes provide the ability to use several types of TLS termination to serve certificates to the client. To expose a secure route to Presto server in watsonx.data™, use the reencrypt route.

Attention: Use this procedure to expose a secure route to Presto server for watsonx.data v1.0.0 or v1.0.1.

For watsonx.data v1.0.2, routes are automatically created for each Presto engine that is provisioned.

Note: Routes must be exposed only when you need to access the Presto engine from outside the OpenShift® cluster. Also, routes must be exposed for every new Presto engine that is provisioned, if a client from outside the OCP cluster needs to connect.

About this task

Complete the following steps to expose a secure route to Presto server in watsonx.data

Procedure

Log in to the OpenShift container.
Use one of the following method to establish a session to your OpenShift server.
1. Run the following command to log in to the cluster by providing a username and password:
```
oc login \
--user=${OCP_USERNAME} \
--password=${OCP_PASSWORD} \
--server=${OCP_URL}
```
2. Run the following command to log in to the cluster by providing a token:
```
oc login \
--server=${OCP_URL} \
--token=${OCP_TOKEN}
```
Set up the PROJECT_CPD_INST_OPERANDS environment variable pointing to the namespace where watsonx.data is installed.
```
export PROJECT_CPD_INST_OPERANDS=<wxd_namespace>
```
Extract the self-signed TLS certificates.
```
oc extract secret/ibm-lh-tls-secret --keys=tls.crt -n ${PROJECT_CPD_INST_OPERANDS}
```
The self-signed cert is extracted to tls.crt.

Identify the engine and service name that you want to expose:

oc get wxdengine -n ${PROJECT_CPD_INST_OPERANDS} -o custom-columns='CR-NAME:metadata.name,ENGINE:spec.engineDisplayName,SERVICE:spec.engineUri' | sed 's/.'${PROJECT_CPD_INST_OPERANDS}'.svc.cluster.local//'

Example:

If you have two engines created for the Presto server:

# oc get wxdengine -n ${PROJECT_CPD_INST_OPERANDS} -o custom-columns='CR-NAME:metadata.name,ENGINE:spec.engineDisplayName,SERVICE:spec.engineUri' | sed 's/.'${PROJECT_CPD_INST_OPERANDS}'.svc.cluster.local//'
CR-NAME               ENGINE      SERVICE
lakehouse-presto-01   presto-01   ibm-lh-lakehouse-presto-01-presto-svc
lakehouse-presto314   jsizto-01   ibm-lh-lakehouse-presto314-presto-svc

Set up the ENGINE_SVC_TO_EXPOSE environment variable pointing to the SERVICE name of the engine route you want to expose.
```
export ENGINE_SVC_TO_EXPOSE=<SERVICE>
```
Example:
If you want to expose the secure route for engine presto-01, then set to this service:
```
# export ENGINE_SVC_TO_EXPOSE=ibm-lh-lakehouse-presto-01-presto-svc
```

Create a re-encrypt route to expose the engine.

oc create route reencrypt \
--service=${ENGINE_SVC_TO_EXPOSE} \
--dest-ca-cert=tls.crt \
--port 8443 -n ${PROJECT_CPD_INST_OPERANDS}

Verify and record the new re-encrypt route.

oc get route -n ${PROJECT_CPD_INST_OPERANDS} ${ENGINE_SVC_TO_EXPOSE}

The secure route is under the HOST/PORT column.

Example:

In this example, the secure route name is:

ibm-lh-lakehouse-presto-01-presto-svc-cpd-instance.apps.example.cp.fyre.ibm.com

# oc get route -n ${PROJECT_CPD_INST_OPERANDS} ${ENGINE_SVC_TO_EXPOSE}
NAME                                   HOST/PORT                                                                        PATH   SERVICES                               PORT  TERMINATION  WILDCARD
ibm-lh-lakehouse-presto-01-presto-svc  ibm-lh-lakehouse-presto-01-presto-svc-cpd-instance.apps.example.cp.fyre.ibm.com         ibm-lh-lakehouse-presto-01-presto-svc  8443  reencrypt    None

To connect with the exposed Presto server, use the exposed secure route name as the hostname and use port 443 as port number with this route.