-
Notifications
You must be signed in to change notification settings - Fork 914
docs(openshift): expand OpenShift guide into multi-page section with TLS, OIDC, and ingress #2094
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
akram
wants to merge
4
commits into
NVIDIA:main
Choose a base branch
from
akram:docs/openshift-oidc-keycloak
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+608
−95
Open
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
a1d09a9
docs(openshift): expand OpenShift guide into multi-page section
akram f7b8b15
docs(openshift): remove unnecessary AWS ELB note from gateway-connection
akram 28caa39
docs(openshift): clarify identity federation as optional
akram 2090fb7
docs: move Keycloak setup to generic access-control page
akram File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,172 @@ | ||
| --- | ||
| # SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
| title: "Gateway Connection" | ||
| sidebar-title: "Gateway Connection" | ||
| slug: "kubernetes/openshift/gateway-connection" | ||
| description: "Connect the OpenShell CLI to a gateway running on OpenShift using port forwarding, a reencrypt Route, or the Kubernetes Gateway API." | ||
| keywords: "Generative AI, Cybersecurity, Kubernetes, OpenShift, Route, Gateway API, Istio, gRPC, Ingress, CLI" | ||
| position: 2 | ||
| --- | ||
|
|
||
| After the gateway is installed, register it with the CLI so you can create and manage sandboxes. The gateway is only reachable inside the cluster by default. How you connect depends on whether you need local-only access or external access for your team. | ||
|
|
||
| | Method | Use case | | ||
| |---|---| | ||
| | [Port forward](#local-access) | Local evaluation from your workstation | | ||
| | [Route](#remote-access-with-routes) | Shared or production access using OpenShift-native routing | | ||
| | [Gateway API](#remote-access-with-gateway-api) | Shared or production access using the standard Kubernetes Gateway API | | ||
|
|
||
| ## Local access | ||
|
|
||
| For quick evaluation, forward the gateway port to your workstation: | ||
|
|
||
| ```shell | ||
| oc -n openshell port-forward svc/openshell 8080:8080 | ||
| ``` | ||
|
|
||
| Register the gateway with the CLI: | ||
|
|
||
| ```shell | ||
| openshell gateway add http://127.0.0.1:8080 --local --name openshift | ||
| openshell status | ||
| ``` | ||
|
|
||
| ## Remote access | ||
|
|
||
| In shared and production environments, the gateway is exposed externally so that team members and CI systems can connect from outside the cluster. On OpenShift, there are two options: native Routes or the Kubernetes Gateway API. | ||
|
|
||
| The gateway multiplexes gRPC and HTTP on a single port. Both options must preserve HTTP/2 for gRPC to work. | ||
|
|
||
| ### Remote access with Routes | ||
|
|
||
| OpenShift Routes are the simplest way to expose the gateway externally. However, not all route types support gRPC: | ||
|
|
||
| | Route type | gRPC support | Issue | | ||
| |---|---|---| | ||
| | Edge | Broken | Terminates TLS and forces HTTP/1.1 to the backend, which drops gRPC frames. | | ||
| | Passthrough | Broken | Preserves HTTP/2 but exposes the gateway's mTLS client certificate requirement to browsers, causing `ERR_BAD_SSL_CLIENT_AUTH_CERT`. | | ||
| | **Reencrypt** | **Works** | Terminates external TLS at the router, re-establishes TLS to the backend, and supports HTTP/2 with the `backend-protocol=h2` annotation. | | ||
|
|
||
| Create a reencrypt route using the gateway's CA certificate for the backend TLS connection: | ||
|
|
||
| ```shell | ||
| DEST_CA=$(oc get secret openshell-server-tls -n openshell \ | ||
| -o jsonpath='{.data.ca\.crt}' | base64 -d) | ||
|
|
||
| oc create route reencrypt openshell \ | ||
| --service=openshell --port=8080 \ | ||
| --dest-ca-cert=<(echo "$DEST_CA") \ | ||
| -n openshell | ||
|
|
||
| oc annotate route openshell -n openshell \ | ||
| haproxy.router.openshift.io/backend-protocol=h2 --overwrite | ||
| ``` | ||
|
|
||
| Register the gateway with the CLI using the route hostname: | ||
|
|
||
| ```shell | ||
| oc get route openshell -n openshell -o jsonpath='{.spec.host}' | ||
| openshell gateway add https://<route-hostname> --gateway-insecure --name openshift | ||
| ``` | ||
|
|
||
| ### Remote access with Gateway API | ||
|
|
||
| The Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io) provides native gRPC routing via `GRPCRoute` resources, without needing HTTP/2 annotations. | ||
|
|
||
| On OpenShift, the Ingress Operator manages Gateway API CRDs. The standard [Envoy Gateway](/kubernetes/ingress) cannot be installed because the Ingress Operator rejects third-party CRD installations. Instead, use the Istio-based Gateway controller that OpenShift provides. | ||
|
|
||
| <Steps> | ||
|
|
||
| ## Identify the GatewayClass | ||
|
|
||
| ```shell | ||
| oc get gatewayclass | ||
| ``` | ||
|
|
||
| Look for a class with an Istio-based controller (e.g. `istio` or `data-science-gateway-class`). The class must show `ACCEPTED: True`. | ||
|
|
||
| ## Create the Gateway and GRPCRoute | ||
|
|
||
| ```shell | ||
| kubectl apply -f - <<'EOF' | ||
| apiVersion: gateway.networking.k8s.io/v1 | ||
| kind: Gateway | ||
| metadata: | ||
| name: openshell-gateway | ||
| namespace: openshell | ||
| spec: | ||
| gatewayClassName: istio | ||
| listeners: | ||
| - name: grpc | ||
| protocol: HTTPS | ||
| port: 443 | ||
| tls: | ||
| mode: Terminate | ||
| certificateRefs: | ||
| - name: openshell-server-tls | ||
| kind: Secret | ||
| allowedRoutes: | ||
| namespaces: | ||
| from: Same | ||
| --- | ||
| apiVersion: gateway.networking.k8s.io/v1 | ||
| kind: GRPCRoute | ||
| metadata: | ||
| name: openshell | ||
| namespace: openshell | ||
| spec: | ||
| parentRefs: | ||
| - name: openshell-gateway | ||
| namespace: openshell | ||
| rules: | ||
| - backendRefs: | ||
| - name: openshell | ||
| port: 8080 | ||
| EOF | ||
| ``` | ||
|
|
||
| ## Configure TLS to the backend | ||
|
|
||
| The Istio envoy proxy terminates external TLS at the Gateway, then connects to the backend in plaintext by default. Since the OpenShell gateway expects TLS, create a `DestinationRule` for TLS origination: | ||
|
|
||
| ```shell | ||
| kubectl apply -f - <<'EOF' | ||
| apiVersion: networking.istio.io/v1 | ||
| kind: DestinationRule | ||
| metadata: | ||
| name: openshell-tls-origination | ||
| namespace: openshell | ||
| spec: | ||
| host: openshell.openshell.svc.cluster.local | ||
| trafficPolicy: | ||
| tls: | ||
| mode: SIMPLE | ||
| insecureSkipVerify: true | ||
| EOF | ||
| ``` | ||
|
|
||
| ## Get the external address | ||
|
|
||
| The Gateway controller creates a LoadBalancer service. Wait for the external address: | ||
|
|
||
| ```shell | ||
| oc get gateway openshell-gateway -n openshell \ | ||
| -o jsonpath='{.status.addresses[0].value}' | ||
| ``` | ||
|
|
||
| <Note> | ||
| AWS ELB DNS names can take 1-2 minutes to propagate after creation. | ||
| </Note> | ||
|
|
||
| ## Register the gateway | ||
|
|
||
| ```shell | ||
| openshell gateway add https://<external-address> --gateway-insecure --name openshift | ||
| ``` | ||
|
|
||
| </Steps> | ||
|
|
||
| ## Next steps | ||
|
|
||
| - [OIDC with Keycloak](/kubernetes/openshift/oidc-keycloak) — add `--oidc-issuer` to the `gateway add` command for authenticated access. | ||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.