K
Q

Openshift re-encrypt TLS termination route does not work. Application is not available

12/4/2019

Can anyone pls help me with Open-Shift Routes?

I have set up a Route with Reencrypt TLS termination. Calls made to the service endpoint (https://openshift-pmi-dev-reencrypt-default.apps.vapidly.os.fyre.ibm.com) results in:

enter image description here

Requests made to the URL does not seem to reach the pods, it is returning a 503 Application not available error. The liberty application is running fine on port 8543, application logs looks clean.

I am unable to identify the root cause of this error, The requests made on external https URLs does not make it to the application pod. Any suggestions on how to get the endpoint url's working?

Thanks for your help in advance!

Openshift version 4.2 Liberty version 19

Route.yaml

kind: Route
apiVersion: route.openshift.io/v1
metadata:
  name: openshift-pmi-dev-reencrypt
  namespace: default
  selfLink: >-
    /apis/route.openshift.io/v1/namespaces/default/routes/openshift-pmi-dev-reencrypt
  uid: 5de29e0d-16b6-11ea-a1ab-0a580afe00ab
  resourceVersion: '7059134'
  creationTimestamp: '2019-12-04T16:51:50Z'
  labels:
    app: apm-pm-api
  annotations:
    openshift.io/host.generated: 'true'
spec:
  host: openshift-pmi-dev-reencrypt-default.apps.vapidly.os.fyre.ibm.com
  subdomain: ''
  path: /ibm/pmi/service
  to:
    kind: Service
    name: apm-pm-api-service
    weight: 100
  port:
    targetPort: https
  tls:
    termination: reencrypt
    insecureEdgeTerminationPolicy: None
  wildcardPolicy: None
status:
  ingress:
    - host: openshift-pmi-dev-reencrypt-default.apps.vapidly.os.fyre.ibm.com
      routerName: default
      conditions:
        - type: Admitted
          status: 'True'
          lastTransitionTime: '2019-12-04T16:51:50Z'
      wildcardPolicy: None
      routerCanonicalHostname: apps.vapidly.os.fyre.ibm.com

Service.yaml

kind: Service
apiVersion: v1
metadata:
  name: apm-pm-api-service
  namespace: default
  selfLink: /api/v1/namespaces/default/services/apm-pm-api-service
  uid: 989040ed-166c-11ea-b792-00000a1003d7
  resourceVersion: '7062857'
  creationTimestamp: '2019-12-04T08:03:46Z'
  labels:
    app: apm-pm-api
spec:
  ports:
    - name: https
      protocol: TCP
      port: 443
      targetPort: 8543
  selector:
    app: apm-pm-api
  clusterIP: 172.30.122.233
  type: ClusterIP
  sessionAffinity: None
status:
  loadBalancer: {}
-- Lokesh Sreedhar
kubernetes
kubernetes-ingress
openshift
routes

Similar Questions

How to use Request header as a pathvariable of entryPoint address for Traefik ingress controller
ansible module for EKS cluster
kubeadm upgrade plan - permission denied to /etc/kubernetes/admin.conf
How to set cluster name in DataDog Helm chart
Can a same PersistentVolume 'pv' bind to many PersistentVolumeClaims 'pvc' in different namespaces?
Can EKS worker nodes be setup in different regions
Kubernetes - DNS/Core DNS Issue - Public Domains are Not Resolving
Kubernetes pods on failure perform some action

1 Answer

12/4/2019

Looking at the snapshot, the browser is stating "Not Secure" for the connection. Is this an attempt to access the application over HTTP, not HTTPS?

Having spec.tls.insecureEdgeTerminationPolicy: None means that traffic on insecure schemes (HTTP) is disabled - see the "Re-encryption Termination" section in this doc.

I'd suggest to also use that documentation to determine if you may need to configure spec.tls.destinationCACertificate.

-- gears
Source: StackOverflow