Deploying FortiADC Kubernetes Controller in OpenShift
The OpenShift Container Platform (version 4.x) supports the FortiADC Kubernetes Controller for both Kubernetes Ingress and OpenShift Route objects.
When the service type is NodePort, the controller operates in the same way as it does in a standard Kubernetes environment, managing Ingress resources and synchronizing FortiADC configurations accordingly.
When the service type is ClusterIP, the controller monitors OpenShift Route objects and automatically applies the corresponding configuration updates on FortiADC.
OpenShift Routes
An OpenShift Route exposes an application at a public URL through a ClusterIP service.
The URL can be secured or unsecured depending on the TLS configuration defined in the Route specification.
The FortiADC Kubernetes Controller monitors Route creation, modification, and deletion events and translates these events into load-balancer configurations on FortiADC.
FortiADC Kubernetes Controller supports OpenShift Routes in two operational modes:
-
VxLAN model – Supported in OpenShift versions 4.7 through 4.12.
Uses Virtual Extensible LAN (VxLAN) encapsulation for overlay networking and dynamic Pod connectivity.
-
Static Route model – Supported in OpenShift versions 4.13 through 4.19.
Uses predefined static routes on FortiADC to reach Pod networks without overlay encapsulation.
Kubernetes Ingress can also be deployed in the OpenShift environment via FortiADC Kubernetes Controller. Please refer to FortiADC Kubernetes Controller document for more details.
|
There are some limitations to what FortiADC Kubernetes Controller supports for OpenShift Routes:
|
Mapping of the Routes related resources with the FortiADC objects
|
OpenShift Objects |
FortiADC Objects |
|---|---|
| Routes |
Virtual server Content Routing Scripting |
| Service |
Real Server Pool |
| Endpoint/ EndpointSlice | Real Server |
Supported Routes types
FortiADC supports both insecure and secured Routes.
Currently, FortiADC Kubernetes Controller only supports secured Routes that uses edge TLS termination with a custom certificate. The insecureEdgeTerminationPolicy is also not supported.
Insecure Routes with path
apiVersion: route.openshift.io/v1
kind: Route
metadata:
labels:
name: fad-app
name: fad-demo-app
namespace: fadgw
annotations: {
"ingress-controller" : "fadc-ingress-controller",
"fortiadc-ip" : "172.23.133.171",
"fortiadc-login" : "fad-login",
"fortiadc-vdom" : "root",
"fortiadc-ctrl-log" : "enable",
"virtual-server-ip" : "10.0.0.104",
"virtual-server-interface" : "port2",
"virtual-server-port" : "443",
"load-balance-method" : "LB_METHOD_LEAST_CONNECTION",
"load-balance-profile" : "LB_PROF_HTTPS"
}
spec:
host: testfad.com
path: "/info"
port:
targetPort: 1234-tcp
to:
kind: Service
name: fad-app
Insecure Routes without path
apiVersion: route.openshift.io/v1
kind: Route
metadata:
labels:
name: fad-app
name: fad-demo-app
namespace: fadgw
annotations: {
"ingress-controller" : "fadc-ingress-controller",
"fortiadc-ip" : "172.23.133.171",
"fortiadc-login" : "fad-login",
"fortiadc-vdom" : "root",
"fortiadc-ctrl-log" : "enable",
"virtual-server-ip" : "10.0.0.104",
"virtual-server-interface" : "port2",
"virtual-server-port" : "443",
"load-balance-method" : "LB_METHOD_LEAST_CONNECTION",
"load-balance-profile" : "LB_PROF_HTTPS"
}
spec:
host: testfad.com
port:
targetPort: 1234-tcp
to:
kind: Service
name: fad-app
Secured Routes
apiVersion: route.openshift.io/v1
kind: Route
metadata:
annotations:
fortiadc-ctrl-log: enable
fortiadc-ip: 172.23.133.171
fortiadc-login: fad-login
fortiadc-vdom: root
ingress-controller: fadc-ingress-controller
load-balance-method: LB_METHOD_LEAST_CONNECTION
load-balance-profile: LB_PROF_HTTPS
virtual-server-interface: port1
virtual-server-ip: 172.23.133.182
virtual-server-port: "443"
labels:
app: fad-app
name: fad-demo-app
namespace: fadgw
spec:
host: testtlsroute.com
port:
targetPort: 1234-tcp
tls:
certificate: |
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
key: |
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
termination: edge
to:
kind: Service
name: fad-app