Configuring Gloo virtual service SSL with AWS ACM cert

9/30/2019

The Gloo documentation at https://gloo.solo.io/advanced_configuration/tls_setup/ goes through the process of setting up SSL for a Gloo virtual service. However, it only does this with a self-signed certificate. We are using Gloo to switch between two services based on path (eg: api.example.com/ points to an Elastic Beanstalk application and api.example.com/service points to a Kubernetes cluster application).

Here are the two upstreams:

dev-api-upstream

apiVersion: gloo.solo.io/v1
kind: Upstream
metadata:
  name: dev-api-upstream
  namespace: gloo-system
spec:
  upstreamSpec:
    static:
      hosts:
        - addr: api-dev.example.com
          port: 80

kube-upstream.yaml

apiVersion: gloo.solo.io/v1
kind: Upstream
metadata:
  name: kube-upstream
  namespace: gloo-system
spec:
  upstreamSpec:
    static:
      hosts:
        - addr: api-dev.example.com
          port: 80

And finally the virtual service:

apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
  name: api-prefix
  namespace: gloo-system
spec:
  virtualHost:
    domains:
      - '*'
    routes:
      - matcher:
          prefix: /service2
        routeAction:
          single:
            upstream:
              name: kube-upstream
              namespace: gloo-system
      - matcher:
          prefix: /
        routeAction:
          single:
            upstream:
              name: dev-api-upstream
              namespace: gloo-system

This works fine for HTTP requests, but times out for HTTPS.

How do I use an AWS ACM-created certificate to enable SSL on the load balancer that Gloo is receiving requests from?

-- SirCapsLock
amazon-web-services
kubernetes
ssl

1 Answer

2/20/2020

if you want your VirtualService to terminate SSL, you need to add an SSLConfig to it as described in the document you linked:

# create a secret containing the cert you want to serve
kubectl create secret tls my-tls-cert --key <path to private key> \
   --cert <path to ca cert> --namespace gloo-system

then update your vs with the sslConfig like so:

apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
  name: api-prefix
  namespace: gloo-system
spec:
  virtualHost:
    domains:
      - '*'
    routes:
      - matcher:
          prefix: /service2
        routeAction:
          single:
            upstream:
              name: kube-upstream
              namespace: gloo-system
      - matcher:
          prefix: /
        routeAction:
          single:
            upstream:
              name: dev-api-upstream
              namespace: gloo-system
  sslConfig:
    secretRef:
      name: my-tls-cert
      namespace: gloo-system

Note that this will change the port on the proxy where the virtual service is served (from 80 to 443).

-- Scott Weiss
Source: StackOverflow