Configure OpenShift as a Mutual Transport Layer Security (MLTS) proxy for serving Puppet Enterprise certificates to Comply

You can use steps in this article to generate certificates in Puppet Enterprise (PE) and configure OpenShift as an Mutual Transport Layer Security (MLTS) proxy for serving PE certs to Comply instead of NodePort. MTLS enables a secure authenticated connection between your nodes and Comply.

If you want to use NodePort instead, use the instructions in our documentation.

Version and installation information

Comply version: 2.x

Solution

When you set up passthrough termination with OpenShift, encrypted traffic is sent straight to the destination with no TLS termination from the router. No key or certificate is required.

1. On the workstation with OpenShift access, create a Route resource by running the following, replacing the placeholder with your primary server hostname: oc create route passthrough comply-pe-endpoint --service=mtls-proxy --port=8080 --hostname <ROUTE HOSTNAME>

   For example: oc create route passthrough comply-pe-endpoint --service=mtls-proxy --port=8080 --hostname www.route.example.com

2. To complete configuration, follow the steps to configure Comply TLS certificates for a custom NGINX ingress, and under Where should we host the container registry endpoint check the Use an Ingress with a hostname box.

   Note: Leave the field under SSL Passthrough Annotation blank so that defaults are used, and so that the Ingress resource that was created is ignored.