Hello,
I am working on setting up Tyk open source gateway as an API Gateway to front a collection of services.
I am struggling to understand how to get certs & SSL set up correctly and I have a few questions around this.
First of all, my current set up involves configuring Tyk values to create a Kubernetes service with an AWS load balancer sitting in front of it. I configured the service with a selection of annotations including the following: service.beta.kubernetes.io/aws-load-balancer-backend-protocol=TCP
. I then set tls=false
in my Tyk values. With this set up, as I understand it, the load balancer will terminate SSL and forward the request to the Tyk service unencrypted.
I then registered an API with Tyk. “https://example.com” as the target URL. Currently, when I try to send a request to the registered API, I get the error:
{
"error": "There was a problem proxying the request"
}
And I see in the logs:
time="Jan 24 00:20:21" level=error msg="http: proxy error: x509: certificate signed by unknown authority" api_id=b46d900f-253b-4ef0-83b0-5865ea6a9fd0 api_name="My API" mw=ReverseProxy org_id=1 prefix=proxy server_name=example.com user_id=-- user_ip=xxxxx user_name=
I am a little confused what the right set up is to get requests proxied encrypted to my APIs behind the gateway. Should I instead not be terminating SSL at the LB level?
I have copied the Tyk Gateway Helm Chart into my own repo, so that I can add my own certs signed by a proper authority. Is there a way that I can use the chart from here: https://github.com/TykTechnologies/tyk-helm-chart/tree/master/tyk-headless and have my own certs without doing the copy paste into my own repo ? I have no other customizations currently that I want to make, but this was what the documentation seemed to be instructing . Or should I just be modifying tyk env variable for pointing at certs files, and mounting them my own way ?
I know this post has a few different questions and confusions but any guidance would be greatly appreciated. Thank you !