The Gloo documentation at https://gloo.solo.io/advanced_configuration/tls_setup/ goes through the process of setting up SSL for a Gloo virtual service. However, it only does this with a self-signed certificate. We are using Gloo to switch between two services based on path (eg: api.example.com/ points to an Elastic Beanstalk application and api.example.com/service points to a Kubernetes cluster application).
Here are the two upstreams:
dev-api-upstream
apiVersion: gloo.solo.io/v1
kind: Upstream
metadata:
name: dev-api-upstream
namespace: gloo-system
spec:
upstreamSpec:
static:
hosts:
- addr: api-dev.example.com
port: 80
kube-upstream.yaml
apiVersion: gloo.solo.io/v1
kind: Upstream
metadata:
name: kube-upstream
namespace: gloo-system
spec:
upstreamSpec:
static:
hosts:
- addr: api-dev.example.com
port: 80
And finally the virtual service:
apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
name: api-prefix
namespace: gloo-system
spec:
virtualHost:
domains:
- '*'
routes:
- matcher:
prefix: /service2
routeAction:
single:
upstream:
name: kube-upstream
namespace: gloo-system
- matcher:
prefix: /
routeAction:
single:
upstream:
name: dev-api-upstream
namespace: gloo-system
This works fine for HTTP requests, but times out for HTTPS.
How do I use an AWS ACM-created certificate to enable SSL on the load balancer that Gloo is receiving requests from?
if you want your VirtualService to terminate SSL, you need to add an SSLConfig to it as described in the document you linked:
# create a secret containing the cert you want to serve
kubectl create secret tls my-tls-cert --key <path to private key> \
--cert <path to ca cert> --namespace gloo-system
then update your vs with the sslConfig
like so:
apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
name: api-prefix
namespace: gloo-system
spec:
virtualHost:
domains:
- '*'
routes:
- matcher:
prefix: /service2
routeAction:
single:
upstream:
name: kube-upstream
namespace: gloo-system
- matcher:
prefix: /
routeAction:
single:
upstream:
name: dev-api-upstream
namespace: gloo-system
sslConfig:
secretRef:
name: my-tls-cert
namespace: gloo-system
Note that this will change the port on the proxy where the virtual service is served (from 80 to 443).