Self-signed cert for re-encrypt termination route

[rsevilla87]

Type of change

• Refactor
• New feature
• Bug fix
• Optimization
• Documentation Update

Description

Re-encrypt routes need to expose a certificate different than default to work with HTTP2.
Reference https://docs.openshift.com/container-platform/4.16/networking/ingress-operator.html#nw-http2-haproxy_configuring-ingress

To enable the use of HTTP/2 for the connection from the client to HAProxy, a route must specify a custom certificate. A route that uses the default certificate cannot use HTTP/2. This restriction is necessary to avoid problems from connection coalescing, where the client re-uses a connection for different routes that use the same certificate.

Related Tickets & Documents

• Related Issue #
• Closes #

Testing

Successfully tested:

$ curl -ik  --http1.1 https://nginx-reencrypt-ingress-perf.apps.blablabla.perfscale.devcluster.openshift.com
HTTP/1.1 200 
server: nginx/1.20.1
date: Mon, 01 Jul 2024 12:25:31 GMT
content-type: text/html
content-length: 128
last-modified: Tue, 25 Jun 2024 17:57:24 GMT
etag: "667b0504-80"
accept-ranges: bytes
set-cookie: 2e901bb5a53d7e744a20c22f4e7d8928=8b9523fc6de155cf1fd7c285d97f3a90; path=/; HttpOnly; Secure; SameSite=None
cache-control: private


$ curl -ik  https://nginx-reencrypt-ingress-perf.apps.blablabla.openshift.com
HTTP/2 200 
server: nginx/1.20.1
date: Mon, 01 Jul 2024 12:24:30 GMT
content-type: text/html
content-length: 128
last-modified: Tue, 25 Jun 2024 17:57:24 GMT
etag: "667b0504-80"
accept-ranges: bytes
set-cookie: 2e901bb5a53d7e744a20c22f4e7d8928=af70d63b2f19e91804f402b7c4ab0564; path=/; HttpOnly; Secure; SameSite=None
cache-control: private

<!DOCTYPE html>
<html>
<head>
<title>Welcome 0128B</title>
</head>
<body>
<h1>Welcome 0128B</h1>

<pre>
</pre>

</body>
</html>