Upstream HealthChecks, TLS/SSL Connection and Websockets

Encrypting Traffic to upstream service

When EnRoute programs Envoy to connect to an upstream Endpoint for a service, you can instruct it to use SSL

Using Certificate to encrypt traffic

kubectl -n enroutedemo create secret tls backend.enroutedemo.com \
  --cert=backend.fullchain.pem \
  --key=backend.privkey.pem

Specify the certificate created in earlier step in GatewayHost

apiVersion: enroute.saaras.io/v1beta1
kind: GatewayHost
metadata:
  labels:
    app: hello-enroute
  name: hello-enroute-gatewayhost
  namespace: enroutedemo
spec:
  virtualhost:
    fqdn: 'he.enroutedemo.com'
    tls:
      secretName: he.enroutedemo.com
    filters:
      - name: helloenroute-jwtfilter
        type: http_filter_jwt
      - name: luatestfilter
        type: http_filter_lua
  routes:
    - conditions:
      - prefix: /
        header:
          name: ":method"
          exact: "GET"
      filters:
        - name: rl2
          type: route_filter_ratelimit
      healthCheck:
        path: /
        host: backend
        intervalSeconds: 5
        timeoutSeconds: 3
        unhealthyThresholdCount: 3
        healthyThresholdCount: 3
      enableWebsockets: true
      services:
        - name: hello-enroute
          port: 9091
          protocol: tls
          clientvalidation:
            caSecret: backend.enroutedemo.com

Note the clientvalidation field in GatewayHost. It points to the certificate created in the previous step.

The upstream service hello-enroute is serving on port 9091 over SSL.

The healthchecks are defined using the healthCheck field and they map to fields in Envoy HealthCheck

The enableWebsockets provides an option in Envoy config to upgrade the connection to websockets.