[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: edge and passthrough vs encrypt termination



What version of OpenShift are you running? 
$  openshift version

I just tried this on the latest version, and reencrypt works. 
Your original message had typos for both [re]encrypt and passt[h]rough ,  could be that's why you saw the error. 

And are you using a real certificate (aka generated by a well-known CA) or rolling your own? 
In the later case (BYOCA - b[e,r]ing your own CA), you will need to pass the CA information for the router to 
trust/verify/re-encrypt traffic to (and from) the pod. 


There's an example for reencrypt here at: https://github.com/pweil-/hello-nginx-docker#uc-4-reencrypt-termination

To use/run it,  just git clone that repo and assuming you have OpenShift v3 and the router setup, you can just run:

  $  git clone https://github.com/pweil-/hello-nginx-docker.git

  $ oc create -f hello-nginx-docker/openshift/nginx_pod.json

  $ oc create -f hello-nginx-docker/openshift/reencrypt/service.json

  $ oc create -f hello-nginx-docker/openshift/reencrypt/route.json


It might take a lil' bit of time for the container to startup  as it needs to pull down the image and once you see the container running, you can get to it via the following command on the router host:

 $  curl --resolve www.example2.com:443:127.0.0.1 https://www.example2.com  \

         --cacert hello-nginx-docker/certs/mypersonalca/certs/ca.pem   

         #  or you can use -k to allow insecure certs (not use the CA cert bundle for verification).

 If you run that from outside the host where the router is running - change 127.0.0.1 to the external IP address of the node where the router is running.


HTH.



On Fri, Nov 20, 2015 at 12:09 AM, Lorenz Vanthillo <lorenz vanthillo outlook com> wrote:
I tried it all. With the extra parameter, without it. Even with all the right certificates and keys etc.
It does not recognize 'reencrypt'.


From: lmeyer redhat com
Date: Thu, 19 Nov 2015 15:43:18 -0500
Subject: Re: edge and passthrough vs encrypt termination
To: lorenz vanthillo outlook com
CC: users lists openshift redhat com


If saving your route fails without any error message at all, I'd say that's a bug. There's no comment at the top of your file with this failure?

Reencrypt has an extra parameter. Perhaps you left it out (though I wouldn't expect an error from that). Note the "re-encrypt" section under https://docs.openshift.com/enterprise/3.0/architecture/core_concepts/routes.html#secured-routes

destinationCaCertificate: |- -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE-----


On Thu, Nov 19, 2015 at 10:32 AM, Lorenz Vanthillo <lorenz vanthillo outlook com> wrote:
I meant reencrypt of course.
When I type reencrypt I don't get a clear error but I can't save my route.
When I type another wrong type I get:  * invalid value 'encrypt', Details: invalid value for termination, acceptable values are edge, passthrough, reencrypt, or emtpy (no tls specified)

So that's clear but reencrypt don't want to work..


From: lorenz vanthillo outlook com
To: users lists openshift redhat com
Subject: edge and passthrough vs encrypt termination
Date: Thu, 19 Nov 2015 14:40:38 +0100


Hi,

I'm on OpenShift Origin V3
I configured edge and passthrough termination. All working fine. But now I want to configure encrypt termination.
The first steps would be similar as edge. So I have created a certificate and a private key and I want to include it in my route.
So I'm performing 'oc edit route'
I add:
tls:
  termination: encrypt

When I save and want to go back I already get an error (I can't save the file). Also when I add the key an certificate I get this error.
But when I'm doing exactly the same for edge it's working fine. I can add
tls:
  termination: edge

or

tls:
  termination: passtrough

in my route and save it, no issues. But termination: encrypt is really not possible. It seems like the route-file doesn't know 'encrypt'.

_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users



_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users




--
Ram//
main(O,s){s=--O;10<putchar(3^O?97-(15&7183>>4*s)*(O++?-1:1):10)&&\
main(++O,s++);}


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]