From http to https for specific service

Hello,
I have a tyke-ce on eks.
ssl termination is handled by load balancer level and traffic is forwarded to tyk as http. I don’t have any problems with that.

…but I have an app works on Kubernetes works only on port 443 (kubernetes dashboard). How can I convert http to https particular to the service?

Regards

Hi @tirelibirefe, I am not sure I fully understand the scenario.

You can specify the protocol used in your target URL as https or use a URL Rewrite plugin to target port 443 on your upstream. Using Tyk makes 2 calls, 1 from your client to your APIM, and another from the APIM to your backend or upstream.

I hope I understood your point.

Hello,
@Olu thanks for information.
Kubernetes dashboard has a bearer token, how/where should I enter its bearer token in apidefinition file in Kubernetes?

Thanks & Reagrds

You can use global headers or transform headers to inject your bearer token upstream. The linked page also has the option of using the dashboard/UI if that is your pereference

@Olu
It’s ok but how/where can I define it in apidefiniton yaml file?
https://tyk.io/docs/transform-traffic/request-headers/#update-the-api-definition-object

apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
  name: dashboard
  namespace: kubernetes-dashboard
  labels:
    template: "true"
spec:
  name: dashboard-basit1
  protocol: https
  listen_port: 443
  use_keyless: true
  active: true
  proxy:
    target_url: https://kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local
    listen_path: /dashboard
    strip_listen_path: true
  version_data:
    default_version: Default
    not_versioned: true
    versions:
      Default:
        name: Default
        paths:
          black_list: []
          ignored: []
          white_list: []

The API definition (in json) should be a one to one mapping of the properties of the spec: in yaml. So my guess is that there should be something like

global_headers: 
    {header_name}: {header_value}

just underneath the paths property. The same should work for transform_headers (which is a child of extended_paths)

That’s what I would like to accomplish.
image

This is very achievable with Tyk. Did you try adding the global headers?

I spent couple of hours but no luck :frowning:

Can you share the YAML you are using?

Here’s what it should look like:

There are more examples for other Gateway features in the operator here.

You say that you want HTTP to HTTPS.
My understanding is that the gateway should be listening on a HTTP port - such as 80 or 8080.

  protocol: https
  listen_port: 443
  use_keyless: true
  active: true
  proxy:
    target_url: https://kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local
    listen_path: /dashboard
    strip_listen_path: true

But your API Definition says:

  protocol: https
  listen_port: 443

If you listen on http and port 8080, then does this solve your problem?

here is the yaml

apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
  name: dashboard
  namespace: kubernetes-dashboard
  labels:
    template: "true"
spec:
  name: dashboard-basit1
  protocol: https
  listen_port: 443
  use_keyless: true
  active: true
  proxy:
    target_url: https://kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local
    listen_path: /dashboard
    strip_listen_path: true
  version_data:
    default_version: Default
    not_versioned: true
    versions:
      Default:
        name: Default
        paths:
          black_list: []
          ignored: []
          white_list: []
        use_extended_paths: true
        extended_paths:
          global_headers: 
            Authorization: eyJhbGciOiJSUzI1NiIsImtpZCI6InNlaWJRUkVqUHFuaHYxWmZxLWo1dkVlOHFEX1RrbmI3YlhSSlM5OWxoNjgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJzdmMtZGFzaGJvYXJkLWFjY291bnQtdG9rZW4tZnhkemsiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoic3ZjLWRhc2hib2FyZC1hY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNDcxNzRkNDItMjFkZi00OThkLWIxNTYtMWJmOGQ5NWRkMTk3Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOnN2Yy1kYXNoYm9hcmQtYWNjb3VudCJ9.A3iW2r7quV-Q7ZaLtPpy0QYtrYfV8e3ifliGcHSZkYhjA5n6YyoixO_q1-LwYk1OXkv351bLyNS7HLG5azZHW6n0JjGeh90PTCYggGDriPWu1YXHGuUpVqTDUo2pmsU_mc_ktupYL4Uu6zjsvk0Y2rWiFdDbw26hYa2T8peC0vObsm_W9WgDD8avZHZkHk39tHqBtaDVSfzIVyoTiS0I5IQd86hRI3DtYFV0klpEGydl1ub75nMvNgcQ-kpAOa179DytgLGveW2345t2t2A-Y-XNv3pLDA2wLpYEWpK2lzWT7v3rnozYuZscTal1nuz__676IHasdfasdfaerqewrq

and result :frowning:

$ k apply -f k8s-dashboard-ingress-tyk.yaml
ingress.networking.k8s.io/dashboard-ingress created
error: error validating "k8s-dashboard-ingress-tyk.yaml": error validating data: ValidationError(ApiDefinition.spec.version_data.versions.Default.extended_paths): unknown field "global_headers" in io.tyk.tyk.v1alpha1.ApiDefinition.spec.version_data.versions.extended_paths; if you choose to ignore these errors, turn validation off with --validate=false

Hi there,

this is incorrect.

global_headers is not a child of extended_paths, it is a sibling of paths

Please see this example.

@ahmet Kubernetes dashboard service which is kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local listens on 443

apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
  name: dashboard
  namespace: kubernetes-dashboard
  labels:
    template: "true"
spec:
  name: dashboard-basit1
  protocol: https
  listen_port: 443
  use_keyless: true
  active: true
  proxy:
    target_url: https://kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local
    listen_path: /dashboard
    strip_listen_path: true
  version_data:
    default_version: Default
    not_versioned: true
    versions:
      Default:
        name: Default
        paths:
          black_list: []
          ignored: []
          white_list: []
        use_extended_paths: true
        global_headers: 
          Authorization: eyJhbGciOiJSUzI1NiIsImtpZCI6InNlaWJRUkVqUHFuaHYxWmZxLWo1dkVlOHFEX1RrbmI3YlhSSlM5OWxoNjgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJzdmMtZGFzaGJvYXJkLWFjY291bnQtdG9rZW4tZnhkemsiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoic3ZjLWRhc2hib2FyZC1hY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNDcxNzRkNDItMjFkZi00OThkLWIxNTYtMWJmOGQ5NWRkMTk3Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOnN2Yy1kYXNoYm9hcmQtYWNjb3VudCJ9.A3iW2r7quV-Q7ZaLtPpy0QYtrYfV8e3ifliGcHSZkYhjA5n6YyoixO_q1-LwYk1OXkv351bLyNS7HLG5azZHW6n0Jjosıufgnw9e8ygw05ygnw09gybsdDbw26hYa2T8peC0vObsm_W9WgDD8avZHZkHk39tHqBtaDVSfzIVyoTiS0I5IQd86hRI3DtYFV0klpEGydl1ub75nMvNgcQ-kpAOa179DytgLGveWcN7tJEMv1A-Y-XNv3pLDA2wLpYEWpK2lzWT7v3rnozYuZscTal1nuz__676IHrsdfm9s8yrgnt9wsey5ng

I am still doing something wrongly.

Hi,

Ahmet’s comment about changing the protocol to be http to https applies as the definition is specifying the incoming protocol expected. The upstream connection using https on port 443 is implied in the target_url scheme you’ve used.

The incoming protocol for your API Definition is still https in the YAML you’ve included, can you try as Ahmet suggested and use http in its place as you have indicated that incoming traffic to tyk will be http.

Thanks!

Best Regards,
Chris

@chris.f actually I didn’t understand what you meant.
Actually I didn’t understand also what @ahmet meant .
K8s dashboard svc listens on 443, if we don’t tell/indicate it to apidefinition, how can Tyk know?

…but in the case of you’re right, I tried following combinations;

That one didn’t work.

apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
  name: dashboard
  namespace: kubernetes-dashboard
  labels:
    template: "true"
spec:
  name: dashboard-basit1
  protocol: https
  listen_port: 443
  use_keyless: true
  active: true
  proxy:
    target_url: https://kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local
    listen_path: /dashboard
    strip_listen_path: true
  version_data:
    default_version: Default
    not_versioned: true
    versions:
      Default:
        name: Default
        paths:
          black_list: []
          ignored: []
          white_list: []
        global_headers: 
          Authorization: eyJhbGciOiJSUzI1NiIsImtpZCI6Inblablalbalblab

That one didn’t work too.

apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
  name: dashboard
  namespace: kubernetes-dashboard
  labels:
    template: "true"
spec:
  name: dashboard-basit1
  protocol: http
  listen_port: 80
  use_keyless: true
  active: true
  proxy:
    target_url: https://kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local
    listen_path: /dashboard
    strip_listen_path: true
  version_data:
    default_version: Default
    not_versioned: true
    versions:
      Default:
        name: Default
        paths:
          black_list: []
          ignored: []
          white_list: []
        global_headers: 
          Authorization: eyJhbGciOiJSUzI1NiIsImtpZCI6Inblablalbalblab

That one (yes I know, it’s not logical) didn’t work too.

apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
  name: dashboard
  namespace: kubernetes-dashboard
  labels:
    template: "true"
spec:
  name: dashboard-basit1
  protocol: http
  listen_port: 443
  use_keyless: true
  active: true
  proxy:
    target_url: https://kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local
    listen_path: /dashboard
    strip_listen_path: true
  version_data:
    default_version: Default
    not_versioned: true
    versions:
      Default:
        name: Default
        paths:
          black_list: []
          ignored: []
          white_list: []
        global_headers: 
          Authorization: eyJhbGciOiJSUzI1NiIsImtpZCI6Inblablalbalblab

If the connection comes from http, ALB redirect it to https and terminates it and sends as http inside to Tyk.
If the connection comes from https, ALB terminates it and sends as http inside to Tyk.

the http traffic must be sent to k8s-dashboard-svc as https with a bearer token, that’s what Tyk must do.

“ingress” or “apidefiniton” which one does manage the connection comes from outside in Tyk?