Can anyone pls help me with Open-Shift Routes?
I have set up a Route with Reencrypt TLS termination. Calls made to the service endpoint (https://openshift-pmi-dev-reencrypt-default.apps.vapidly.os.fyre.ibm.com) results in:
Requests made to the URL does not seem to reach the pods, it is returning a 503 Application not available error. The liberty application is running fine on port 8543, application logs looks clean.
I am unable to identify the root cause of this error, The requests made on external https URLs does not make it to the application pod. Any suggestions on how to get the endpoint url's working?
Thanks for your help in advance!
Openshift version 4.2 Liberty version 19
Route.yaml
kind: Route
apiVersion: route.openshift.io/v1
metadata:
name: openshift-pmi-dev-reencrypt
namespace: default
selfLink: >-
/apis/route.openshift.io/v1/namespaces/default/routes/openshift-pmi-dev-reencrypt
uid: 5de29e0d-16b6-11ea-a1ab-0a580afe00ab
resourceVersion: '7059134'
creationTimestamp: '2019-12-04T16:51:50Z'
labels:
app: apm-pm-api
annotations:
openshift.io/host.generated: 'true'
spec:
host: openshift-pmi-dev-reencrypt-default.apps.vapidly.os.fyre.ibm.com
subdomain: ''
path: /ibm/pmi/service
to:
kind: Service
name: apm-pm-api-service
weight: 100
port:
targetPort: https
tls:
termination: reencrypt
insecureEdgeTerminationPolicy: None
wildcardPolicy: None
status:
ingress:
- host: openshift-pmi-dev-reencrypt-default.apps.vapidly.os.fyre.ibm.com
routerName: default
conditions:
- type: Admitted
status: 'True'
lastTransitionTime: '2019-12-04T16:51:50Z'
wildcardPolicy: None
routerCanonicalHostname: apps.vapidly.os.fyre.ibm.com
Service.yaml
kind: Service
apiVersion: v1
metadata:
name: apm-pm-api-service
namespace: default
selfLink: /api/v1/namespaces/default/services/apm-pm-api-service
uid: 989040ed-166c-11ea-b792-00000a1003d7
resourceVersion: '7062857'
creationTimestamp: '2019-12-04T08:03:46Z'
labels:
app: apm-pm-api
spec:
ports:
- name: https
protocol: TCP
port: 443
targetPort: 8543
selector:
app: apm-pm-api
clusterIP: 172.30.122.233
type: ClusterIP
sessionAffinity: None
status:
loadBalancer: {}
Looking at the snapshot, the browser is stating "Not Secure" for the connection. Is this an attempt to access the application over HTTP, not HTTPS?
Having spec.tls.insecureEdgeTerminationPolicy: None
means that traffic on insecure schemes (HTTP) is disabled - see the "Re-encryption Termination" section in this doc.
I'd suggest to also use that documentation to determine if you may need to configure spec.tls.destinationCACertificate
.