Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-5204

[Operator] Avoid web console HTTP redirects on edge TLS termination

    XMLWordPrintable

Details

    Description

      The Operator automatically creates web console routes without TLS. If you want to access the console securely, you need to enable it by using a passthrough route and sslEnabled property, or you may simply use and edge terminated route, which is the preferred way by most customers.

      AMQ_NAME="my-broker"
AMQ_REPLICAS="2"

for i in $(seq 0 $(($AMQ_REPLICAS-1))); do
    kubectl patch route $AMQ_NAME-wconsj-$i-svc-rte --type json -p '[{
        "op":"add",
        "path":"/spec/tls",
        "value": {
            "termination": "edge",
            "insecureEdgeTerminationPolicy": "Redirect"
        }
    }]'
done

kubectl get routes  | grep wconsj
my-broker-wconsj-0-svc-rte       my-broker-wconsj-0-svc-rte-broker.apps.cluster-4c2c.4c2c.example.opentlc.com              my-broker-wconsj-0-svc       wconsj-0       edge               None
my-broker-wconsj-1-svc-rte       my-broker-wconsj-1-svc-rte-broker.apps.cluster-4c2c.4c2c.example.opentlc.com              my-broker-wconsj-1-svc       wconsj-1       edge               None

      Now, if you add a firewall that blocks port 80 into the picture, the edge termination option can't be used as the rqeuest is blocked on the first redirect.

      curl -vLk https://my-broker-wconsj-0-svc-rte-broker.apps.cluster-4c2c.4c2c.example.opentlc.com/console 
* Issue another request to this URL: 'http://my-broker-wconsj-0-svc-rte-broker.apps.cluster-4c2c.4c2c.example.opentlc.com/console/auth/login'
* Failed to connect to my-broker-wconsj-0-svc-rte-broker.apps.cluster-4c2c.4c2c.example.opentlc.com port 80: Timed out

      In a similar scenario, the ServiceRegistry allows to set environment variables to override the default URLs, which is something we could add here too.

      https://access.redhat.com/documentation/en-us/red_hat_integration/2021.q3/html-single/installing_and_deploying_service_registry_on_openshift/index#configuring-registry-ui

      Attachments

        Issue Links

          is blocked by

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. ENTMQBR-4340 Enable Proxy Forwarding

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed
          is cloned by

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) ENTESB-17301 Avoid web console HTTP redirects on edge TLS termination

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Done
          mentioned in

          Page Loading...

          Activity

            People

              dbruscin Domenico Francesco Bruscino
              rhn-support-fvaleri Federico Valeri
              Michal Toth Michal Toth
              Votes:
              1 Vote for this issue
              Watchers:
              13 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: