Search code examples
encryptionopenshift

Not able to achieve end to end encryption in openshift 4.3 route

We have a AngularJS application where we have a nodejs app which creates certificates and key for service hostname only when HTTPS port is 443. Then created certificates are consumed in nginx as shown below:

<% if ENV["HTTPS__ENABLED"] == "true" %>
listen <%= ENV["HTTPS__PORT"] %> ssl;
# These files are generated by the node app
ssl_certificate /cert.csr;
ssl_certificate_key /tls_private_key.csr;
ssl_protocols TLSv1.2;
<% end %>

But when I set 443 port in route with re-encrypt termination it gives below error while accessing application

Application is not available

The application is currently not serving requests at this endpoint. It may not have been started or is still starting.

The request is not even reaching pod. If I create route with edge termination is gives error 

400 Bad Request
The plain HTTP request was sent to HTTPS port

As in Edge termination there is no encryption from router to pod. I cannot use passthrough termination policy as we have path in our route which is not supported by passthrough termination.

can someone please let me know how to achieve end to end encryption in openshift 4.3. We do not use custom domain here.

I was checking the way for creating re-encrypt route oc create route reencrypt --service=frontend --cert=tls.crt --key=tls.key --dest-ca-cert=destca.crt --ca-cert=ca.crt --hostname=www.example.com

but as we are not using custom domain our route should use default cert and key right? So no need to provide those right? I am not getting how to create --dest-ca-cert for this route.

Solution

  • TLS is already enabled in our AngularJS app using a nodejs app which creates cert and key which is consumed by Nginx.Pod inside the cluster uses TLS, it’s issued by a CA, that’s the cert we should put in destinationCACert for the route.The CA cert is how the router determines if it can trust the upstream POD for the TLS communication.

    We used ca.cert located at /var/run/secrets/kubernetes.io/serviceaccount/ca.crt as destination certificate while creating re-encrypt route. We selected HTTPS port while creating route. oc create route reencrypt --service=frontend --cert=tls.crt --key=tls.key --dest-ca-cert=destca.crt --ca-cert=ca.crt --hostname=www.example.com

    Here tls.cert and tls.key is not needed for us as we were using default domain of the openshift cluster.Only cert we used is --dest-ca-cert which is also found at secret service-serving-cert-signer-sa-token-l42lm of openshift-service-ca namespace