Sign in Subscribe
Concepts

OpenShift TLS Configuration: Securing Routes, Services, and Certificates

Andrios Robert

1 min read

TLS (Transport Layer Security) in OpenShift protects applications, APIs, and internal services from interception and tampering. Correct configuration is not optional; it is a baseline requirement for secure deployments.

Enable TLS for Routes
OpenShift supports edge, passthrough, and re-encrypt termination types.

  • Edge: TLS ends at the router. The route uses its own certificate.
  • Passthrough: TLS flows directly to the backend pod. No termination in the router.
  • Re-encrypt: TLS ends at the router and restarts to the pod with a separate certificate.

Use oc create route or edit existing routes with oc patch to define tls.termination. For re-encrypt, set tls.destinationCACertificate to validate the backend.

Configure Service Serving Certificates
To secure internal service-to-service traffic, enable service serving certificates. Annotate your service with service.alpha.openshift.io/serving-cert-secret-name to generate a certificate stored in a secret. Mount this secret in pods and configure your app to serve TLS on its internal port.

Cluster-Level TLS Settings
Under network.operator.openshift.io you can define routerTLS profiles. Adjust ciphers, minimum protocol versions, and certificate authorities to meet compliance requirements. Avoid outdated ciphers like TLS_RSA_WITH_3DES_EDE_CBC_SHA. Favor TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 or stronger.

Replace Default Certificates
Default router certificates are for testing. For production, use oc secrets link router ... with a custom cert key pair signed by a trusted CA. This ensures that public-facing endpoints pass browser and client validation without warnings.

Automate Certificate Renewal
Integrate with ACME services like Let’s Encrypt or corporate PKI. Use cert-manager or custom scripts with oc commands to replace expiring certs before downtime hits. Continuous renewal is part of TLS hygiene.

OpenShift TLS configuration is simple in command but critical in result: it seals every packet with trust. Build it once, verify it, and keep it tight.

See how you can configure secure routes, internal services, and certificates in minutes—run it live at hoop.dev and watch it work.