Details
-
Enhancement
-
Resolution: Done
-
Major
-
fuse-7.9-GA
-
None
Description
The Operator automatically creates web console routes without TLS. If you want to access the console securely, you need to enable it by using a passthrough route and sslEnabled property, or you may simply use and edge terminated route, which is the preferred way by most customers.
AMQ_NAME="my-broker" AMQ_REPLICAS="2" for i in $(seq 0 $(($AMQ_REPLICAS-1))); do kubectl patch route $AMQ_NAME-wconsj-$i-svc-rte --type json -p '[{ "op":"add", "path":"/spec/tls", "value": { "termination": "edge", "insecureEdgeTerminationPolicy": "Redirect" } }]' done kubectl get routes | grep wconsj my-broker-wconsj-0-svc-rte my-broker-wconsj-0-svc-rte-broker.apps.cluster-4c2c.4c2c.example.opentlc.com my-broker-wconsj-0-svc wconsj-0 edge None my-broker-wconsj-1-svc-rte my-broker-wconsj-1-svc-rte-broker.apps.cluster-4c2c.4c2c.example.opentlc.com my-broker-wconsj-1-svc wconsj-1 edge None
Now, if you add a firewall that blocks port 80 into the picture, the edge termination option can't be used as the rqeuest is blocked on the first redirect.
curl -vLk https://my-broker-wconsj-0-svc-rte-broker.apps.cluster-4c2c.4c2c.example.opentlc.com/console * Issue another request to this URL: 'http://my-broker-wconsj-0-svc-rte-broker.apps.cluster-4c2c.4c2c.example.opentlc.com/console/auth/login' * Failed to connect to my-broker-wconsj-0-svc-rte-broker.apps.cluster-4c2c.4c2c.example.opentlc.com port 80: Timed out
In a similar scenario, the ServiceRegistry allows to set environment variables to override the default URLs, which is something we could add here too.
Attachments
Issue Links
- clones
-
ENTMQBR-5204 [Operator] Avoid web console HTTP redirects on edge TLS termination
-
- Closed
-
