Hello,
I have a tyke-ce on eks.
ssl termination is handled by load balancer level and traffic is forwarded to tyk as http. I don’t have any problems with that.
…but I have an app works on Kubernetes works only on port 443 (kubernetes dashboard). How can I convert http to https particular to the service?
Regards
1 Like
Olu
October 4, 2021, 9:45am
2
Hi @tirelibirefe , I am not sure I fully understand the scenario.
You can specify the protocol used in your target URL as https or use a URL Rewrite plugin to target port 443 on your upstream. Using Tyk makes 2 calls, 1 from your client to your APIM, and another from the APIM to your backend or upstream.
I hope I understood your point.
Hello,
@Olu thanks for information.
Kubernetes dashboard has a bearer token, how/where should I enter its bearer token in apidefinition file in Kubernetes?
Thanks & Reagrds
Olu
October 5, 2021, 9:13am
4
You can use global headers or transform headers to inject your bearer token upstream. The linked page also has the option of using the dashboard/UI if that is your pereference
1 Like
@Olu
It’s ok but how/where can I define it in apidefiniton yaml file?
https://tyk.io/docs/transform-traffic/request-headers/#update-the-api-definition-object
apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
name: dashboard
namespace: kubernetes-dashboard
labels:
template: "true"
spec:
name: dashboard-basit1
protocol: https
listen_port: 443
use_keyless: true
active: true
proxy:
target_url: https://kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local
listen_path: /dashboard
strip_listen_path: true
version_data:
default_version: Default
not_versioned: true
versions:
Default:
name: Default
paths:
black_list: []
ignored: []
white_list: []
Olu
October 5, 2021, 11:13am
6
The API definition (in json) should be a one to one mapping of the properties of the spec: in yaml. So my guess is that there should be something like
global_headers:
{header_name}: {header_value}
just underneath the paths property. The same should work for transform_headers (which is a child of extended_paths )
That’s what I would like to accomplish.
Olu
October 5, 2021, 2:41pm
9
This is very achievable with Tyk. Did you try adding the global headers?
I spent couple of hours but no luck
sedky
October 5, 2021, 4:30pm
11
Can you share the YAML you are using?
Here’s what it should look like:
There are more examples for other Gateway features in the operator here .
ahmet
October 5, 2021, 4:35pm
12
You say that you want HTTP to HTTPS.
My understanding is that the gateway should be listening on a HTTP port - such as 80 or 8080.
protocol: https
listen_port: 443
use_keyless: true
active: true
proxy:
target_url: https://kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local
listen_path: /dashboard
strip_listen_path: true
But your API Definition says:
protocol: https
listen_port: 443
If you listen on http
and port 8080
, then does this solve your problem?
here is the yaml
apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
name: dashboard
namespace: kubernetes-dashboard
labels:
template: "true"
spec:
name: dashboard-basit1
protocol: https
listen_port: 443
use_keyless: true
active: true
proxy:
target_url: https://kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local
listen_path: /dashboard
strip_listen_path: true
version_data:
default_version: Default
not_versioned: true
versions:
Default:
name: Default
paths:
black_list: []
ignored: []
white_list: []
use_extended_paths: true
extended_paths:
global_headers:
Authorization: eyJhbGciOiJSUzI1NiIsImtpZCI6InNlaWJRUkVqUHFuaHYxWmZxLWo1dkVlOHFEX1RrbmI3YlhSSlM5OWxoNjgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJzdmMtZGFzaGJvYXJkLWFjY291bnQtdG9rZW4tZnhkemsiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoic3ZjLWRhc2hib2FyZC1hY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNDcxNzRkNDItMjFkZi00OThkLWIxNTYtMWJmOGQ5NWRkMTk3Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOnN2Yy1kYXNoYm9hcmQtYWNjb3VudCJ9.A3iW2r7quV-Q7ZaLtPpy0QYtrYfV8e3ifliGcHSZkYhjA5n6YyoixO_q1-LwYk1OXkv351bLyNS7HLG5azZHW6n0JjGeh90PTCYggGDriPWu1YXHGuUpVqTDUo2pmsU_mc_ktupYL4Uu6zjsvk0Y2rWiFdDbw26hYa2T8peC0vObsm_W9WgDD8avZHZkHk39tHqBtaDVSfzIVyoTiS0I5IQd86hRI3DtYFV0klpEGydl1ub75nMvNgcQ-kpAOa179DytgLGveW2345t2t2A-Y-XNv3pLDA2wLpYEWpK2lzWT7v3rnozYuZscTal1nuz__676IHasdfasdfaerqewrq
and result
$ k apply -f k8s-dashboard-ingress-tyk.yaml
ingress.networking.k8s.io/dashboard-ingress created
error: error validating "k8s-dashboard-ingress-tyk.yaml": error validating data: ValidationError(ApiDefinition.spec.version_data.versions.Default.extended_paths): unknown field "global_headers" in io.tyk.tyk.v1alpha1.ApiDefinition.spec.version_data.versions.extended_paths; if you choose to ignore these errors, turn validation off with --validate=false
sedky
October 5, 2021, 4:38pm
14
Hi there,
this is incorrect.
global_headers
is not a child of extended_paths, it is a sibling of paths
Please see this example.
@ahmet Kubernetes dashboard service which is kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local listens on 443
apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
name: dashboard
namespace: kubernetes-dashboard
labels:
template: "true"
spec:
name: dashboard-basit1
protocol: https
listen_port: 443
use_keyless: true
active: true
proxy:
target_url: https://kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local
listen_path: /dashboard
strip_listen_path: true
version_data:
default_version: Default
not_versioned: true
versions:
Default:
name: Default
paths:
black_list: []
ignored: []
white_list: []
use_extended_paths: true
global_headers:
Authorization: eyJhbGciOiJSUzI1NiIsImtpZCI6InNlaWJRUkVqUHFuaHYxWmZxLWo1dkVlOHFEX1RrbmI3YlhSSlM5OWxoNjgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJzdmMtZGFzaGJvYXJkLWFjY291bnQtdG9rZW4tZnhkemsiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoic3ZjLWRhc2hib2FyZC1hY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNDcxNzRkNDItMjFkZi00OThkLWIxNTYtMWJmOGQ5NWRkMTk3Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOnN2Yy1kYXNoYm9hcmQtYWNjb3VudCJ9.A3iW2r7quV-Q7ZaLtPpy0QYtrYfV8e3ifliGcHSZkYhjA5n6YyoixO_q1-LwYk1OXkv351bLyNS7HLG5azZHW6n0Jjosıufgnw9e8ygw05ygnw09gybsdDbw26hYa2T8peC0vObsm_W9WgDD8avZHZkHk39tHqBtaDVSfzIVyoTiS0I5IQd86hRI3DtYFV0klpEGydl1ub75nMvNgcQ-kpAOa179DytgLGveWcN7tJEMv1A-Y-XNv3pLDA2wLpYEWpK2lzWT7v3rnozYuZscTal1nuz__676IHrsdfm9s8yrgnt9wsey5ng
I am still doing something wrongly.
chris.f
October 6, 2021, 12:10pm
17
Hi,
Ahmet’s comment about changing the protocol to be http to https applies as the definition is specifying the incoming protocol expected. The upstream connection using https on port 443 is implied in the target_url scheme you’ve used.
The incoming protocol for your API Definition is still https in the YAML you’ve included, can you try as Ahmet suggested and use http in its place as you have indicated that incoming traffic to tyk will be http.
Thanks!
Best Regards,
Chris
@chris.f actually I didn’t understand what you meant.
Actually I didn’t understand also what @ahmet meant .
K8s dashboard svc listens on 443, if we don’t tell/indicate it to apidefinition, how can Tyk know?
…but in the case of you’re right, I tried following combinations;
That one didn’t work.
apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
name: dashboard
namespace: kubernetes-dashboard
labels:
template: "true"
spec:
name: dashboard-basit1
protocol: https
listen_port: 443
use_keyless: true
active: true
proxy:
target_url: https://kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local
listen_path: /dashboard
strip_listen_path: true
version_data:
default_version: Default
not_versioned: true
versions:
Default:
name: Default
paths:
black_list: []
ignored: []
white_list: []
global_headers:
Authorization: eyJhbGciOiJSUzI1NiIsImtpZCI6Inblablalbalblab
That one didn’t work too.
apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
name: dashboard
namespace: kubernetes-dashboard
labels:
template: "true"
spec:
name: dashboard-basit1
protocol: http
listen_port: 80
use_keyless: true
active: true
proxy:
target_url: https://kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local
listen_path: /dashboard
strip_listen_path: true
version_data:
default_version: Default
not_versioned: true
versions:
Default:
name: Default
paths:
black_list: []
ignored: []
white_list: []
global_headers:
Authorization: eyJhbGciOiJSUzI1NiIsImtpZCI6Inblablalbalblab
That one (yes I know, it’s not logical) didn’t work too.
apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
name: dashboard
namespace: kubernetes-dashboard
labels:
template: "true"
spec:
name: dashboard-basit1
protocol: http
listen_port: 443
use_keyless: true
active: true
proxy:
target_url: https://kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local
listen_path: /dashboard
strip_listen_path: true
version_data:
default_version: Default
not_versioned: true
versions:
Default:
name: Default
paths:
black_list: []
ignored: []
white_list: []
global_headers:
Authorization: eyJhbGciOiJSUzI1NiIsImtpZCI6Inblablalbalblab
If the connection comes from http, ALB redirect it to https and terminates it and sends as http inside to Tyk.
If the connection comes from https, ALB terminates it and sends as http inside to Tyk.
the http traffic must be sent to k8s-dashboard-svc as https with a bearer token, that’s what Tyk must do.
“ingress” or “apidefiniton” which one does manage the connection comes from outside in Tyk?