Upstream HealthChecks, TLS/SSL Connection and Websockets
Encrypting Traffic to upstream service
When EnRoute programs Envoy to connect to an upstream Endpoint for a service, you can instruct it to use SSL
Using Certificate to encrypt traffic
kubectl -n enroutedemo create secret tls backend.enroutedemo.com \
--cert=backend.fullchain.pem \
--key=backend.privkey.pemSpecify the certificate created in earlier step in GatewayHost
apiVersion: enroute.saaras.io/v1beta1
kind: GatewayHost
metadata:
labels:
app: hello-enroute
name: hello-enroute-gatewayhost
namespace: enroutedemo
spec:
virtualhost:
fqdn: 'he.enroutedemo.com'
tls:
secretName: he.enroutedemo.com
filters:
- name: helloenroute-jwtfilter
type: http_filter_jwt
- name: luatestfilter
type: http_filter_lua
routes:
- conditions:
- prefix: /
header:
name: ":method"
exact: "GET"
filters:
- name: rl2
type: route_filter_ratelimit
enableWebsockets: true
services:
- name: hello-enroute
port: 9091
protocol: tls
healthCheck:
path: /
host: backend
intervalSeconds: 5
timeoutSeconds: 3
unhealthyThresholdCount: 3
healthyThresholdCount: 3
clientvalidation:
caSecret: backend.enroutedemo.comNote the clientvalidation field in GatewayHost. It points to the certificate created in the previous step.
The upstream service hello-enroute is serving on port 9091 over SSL.
The healthchecks are defined using the healthCheck field and they map to fields in Envoy HealthCheck
The enableWebsockets provides an option in Envoy config to upgrade the connection to websockets.