Reputation: 33
Openshift TLS configuration with API Gateway
I'm trying to deploy an angular app on Openshift with Istio as service mesh. Service yaml:
- apiVersion: v1
kind: Service
metadata:
labels:
app: angularapp
service: angularapp
version: v1
name: angularapp
spec:
ports:
- name: http
protocol: TCP
port: 8080
targetPort: 8080
selector:
name: angularapp
So far everything works with http connection. To change to https connection, I configured the istio-ingressgateway route provided by the Red Hat Openshift Service Mesh operator installation to use passthrough
spec:
host: istio-ingressgateway-istio-system.apps.xxx.xx.xxxxxxx.opentlc.com
tls:
insecureEdgeTerminationPolicy: None
termination: passthrough
and the istio's gateway resource:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: testnamespace-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: "router-certs"
hosts:
- "*"
with the VirtualService pointing to 8080 port of angular app:
route:
- destination:
host: angularapp
port:
number: 8080
Question: TLS configuration works and the exposed istio ingress gateway URL does have https connection. However, API Gateway issues this error when firing request to the mentioned istio URL:
Execution failed due to configuration error: Unrecognized SSL message, plaintext connection?
The weird thing is that it only happens half the time, the other half works, even after clearing browser cache after every run. Note that only the istio ingress gateway URL has https connection while the angular app as a standalone service only has http.
Sorry for the long-winded question and hope to get some help here. Thank you!
Upvotes: 1
Views: 1452
Answers (2)
Reputation: 33
Solved this by adding the segment:
port:
targetPort: https
tls:
termination: passthrough
to istio ingress route configuration as the istio ingress service default configuration listens on portName: https
name: https
port: 443
protocol: TCP
targetPort: 8080
Upvotes: 0
Reputation: 3760
With passthrough termination, encrypted traffic is sent straight to the destination without the router providing TLS termination. Therefore no key or certificate is required.
Because your backend service is http, you should terminate SSL at edge using
termination: edge
Reference: https://docs.openshift.com/container-platform/3.9/architecture/networking/routes.html
Upvotes: 0
Related Questions
- Configuring TLS on openshift using helm
- Istio ingressgateway allow tls for private IP
- Create OpenShift TLS route from secret
- Istio access to container SSL endpoint
- Configure Istio ingress gateway TLS with istio operator
- Haproxy with istio-ingressgateway as SSL backend
- How do you supply your Applications with TLS Certificates centrally in Openshift?
- Istio + Kubernetes: Gateway more than one TLS Certificate
- Openshift re-encrypt TLS termination route does not work. Application is not available
- OpenShift and Istio Gateway traffic configuration in order to access using an external a domain