You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/02/03 18:51:15 UTC
[GitHub] [apisix-helm-chart] MirtoBusico opened a new issue #230: Request help: how to setup the gateway variables to enable HTTPS?
MirtoBusico opened a new issue #230:
URL: https://github.com/apache/apisix-helm-chart/issues/230
Hi all,
I need to enable the https protocol on the apisisx ingress gateway.
I don't know how to setup the variables in the helm chart values.yaml to enable HTTPS.
My framework:
- 3 node kubernetes cluster
- Istio installed with the "minimal" profile
- apisix installed with helm chart (enabling ingress controller and dashboard)
- a working route and upstream for a site (eg "http://www.m01.net")
Now I want to setup apisix so that it responds to "https://www.m01.net"
What I have:
- a private Certificatiion Authority certificate
- key and certificate for www.m01.net signed by the private CA
The "**gateway**" part of values.yaml (modified as per [#851](https://github.com/apache/apisix-ingress-controller/issues/851) bug) is:
```
gateway:
type: NodePort
# If you want to keep the client source IP, you can set this to Local.
# ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
externalTrafficPolicy: Cluster
# type: LoadBalancer
# annotations:
# service.beta.kubernetes.io/aws-load-balancer-type: nlb
externalIPs: []
http:
enabled: true
servicePort: 80
containerPort: 9080
tls:
enabled: false
servicePort: 443
containerPort: 9443
existingCASecret: ""
certCAFilename: ""
http2:
enabled: true
stream: # L4 proxy (TCP/UDP)
enabled: true
only: false
tcp: # TCP proxy address list
- 9100
- "127.0.0.1:9101"
udp: # UDP proxy address list
- 9200
- "127.0.0.1:9211"
ingress:
enabled: false
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: apisix.local
paths: []
tls: []
# - secretName: apisix-tls
# hosts:
# - chart-example.local
```
As far as I understand, I have to set "tls: enabled: true" but I don't know:
- what is tthe existingCASecret ?
- if the certCAFilename refers to the CA cert file, where have I to put that file so the helm cart find it?
- have I to enable "ingress"
There is any documentation / tutorial about this topic?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-helm-chart] MirtoBusico commented on issue #230: Request help: how to setup the gateway variables to enable HTTPS?
Posted by GitBox <gi...@apache.org>.
MirtoBusico commented on issue #230:
URL: https://github.com/apache/apisix-helm-chart/issues/230#issuecomment-1029341281
Thanks. I'll try asap
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-helm-chart] gardun0 commented on issue #230: Request help: how to setup the gateway variables to enable HTTPS?
Posted by GitBox <gi...@apache.org>.
gardun0 commented on issue #230:
URL: https://github.com/apache/apisix-helm-chart/issues/230#issuecomment-1029327166
Hey @MirtoBusico, in order to secure your gateway, there are many methods out there, this is one of them:
1. Enable TLS with `gateway.tls.enabled` set to `true`, this will add a `443` port for your service.
2. In order to expose your gateway, you must set the service to `LoadBalancer` type (alternative to Ingress).
3. As soon as your service set up, it'll have a public address with two ports `80` and `443`.
4. In order to have a TLS/SSL certificate there are many ways to do that but Let's Encrypt might do that Job for you, in this case we're using [cert-manager](https://cert-manager.io/).
5. You must set up an `Issuer`/`ClusterIssuer` with [cert-manager](https://cert-manager.io/) and a `Certificate`, that `Certificate` will generate a secret including the keys within your namespace (I don't remember if it must be the same as Apisix).
6. Once you have a `Certificate` resource created, you must create an `ApisixTls` resource referencing the same DNS you set on your `Certificate` and the secret name generated.
7. Finally you must change your domain DNS with the one generated trough your `LoadBalancer`.
Overall, this is a simple guide to secure your exposed gateway (I may missed something)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-helm-chart] MirtoBusico commented on issue #230: Request help: how to setup the gateway variables to enable HTTPS?
Posted by GitBox <gi...@apache.org>.
MirtoBusico commented on issue #230:
URL: https://github.com/apache/apisix-helm-chart/issues/230#issuecomment-1030579375
Hi @gardun0, I was able to do steps 1, 2, 3, and 7
I can't use Let's Encrypt (my lab have to work also in airgapped situation) and I should prefer not to add cert-manager to the things I have to learn.
For now I'm using CA and certificates created directly with openssl.
I have:
- m01ca.pem the Certification Authority certificate
- www.key the key for www.m01.net
- www.crt the certificate for www.m01.net
I know how to create a tls certificate in k8s
```
kubectl -n kube-system create secret tls www-ingress-tls --cert=www.crt --key=www.key
```
(note that I was only able to setup https in Istio Ingress gateway - mybe here secret type and namespace are different)
How can I create a certificate resource with these data?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-helm-chart] MirtoBusico edited a comment on issue #230: Request help: how to setup the gateway variables to enable HTTPS?
Posted by GitBox <gi...@apache.org>.
MirtoBusico edited a comment on issue #230:
URL: https://github.com/apache/apisix-helm-chart/issues/230#issuecomment-1030579375
Hi @gardun0, I was able to do steps 1, 2, 3, and 7
Then I created an SSL resource using apisix dashboard giving the crt and key for www.m01.net
<img width="1144" alt="apisix-ssl" src="https://user-images.githubusercontent.com/11090934/152635237-f53f0564-f573-4df0-a88b-ae6c75696c02.png">
It seems to work. I'm missing something?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org