Skip to content
This repository has been archived by the owner on Feb 14, 2023. It is now read-only.

Apps not available via HTTPS #46

Closed
acosta11 opened this issue Feb 26, 2020 · 4 comments
Closed

Apps not available via HTTPS #46

acosta11 opened this issue Feb 26, 2020 · 4 comments
Labels
accepted known-issue

Comments

@acosta11
Copy link
Member

Summary

HTTPS traffic does not reach apps running on cf-for-k8s.

Repro Steps

  1. Deploy cf-for-k8s and log in via the cf CLI
  2. Enable feature flag 'diego_docker'
  3. Target a space and push a docker app
  4. Attempt to curl the route provided in the push output and observe it is only available over unencrypted http.
> cf push myapp -o cloudfoundry/diego-docker-app

> curl -i http://myapp.<app-domain>
HTTP/1.1 200 OK
date: Wed, 26 Feb 2020 00:21:36 GMT
content-length: 1
content-type: text/plain; charset=utf-8
x-envoy-upstream-service-time: 3
server: istio-envoy

0

> curl -i https://myapp.<app-domain> -k
HTTP/2 404
date: Wed, 26 Feb 2020 00:21:18 GMT
server: istio-envoy

Context

Currently, there are two istio ingress gateways: one for the cf-system components and one for cf-workloads. The ingress gateway for cf-workloads namespace only configures a rule for unencrypted http traffic to port 80. Meanwhile the system component ingress gateway only listens for encrypted https traffic on port 443. So any encrypted https traffic to port 443 only matches the routing rule on the cf-system gateway and receives an istio 404 response. We expect to work with the cf-for-k8s networking team to resolve this issue.
@cf-gitbot
Copy link
Collaborator

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/171482241

The labels on this github issue will be updated when the story is started.

@jenspinney jenspinney mentioned this issue Mar 23, 2020
Closed
@loewenstein
Copy link

Has this been solved by #64?

@XanderStrike
Copy link
Contributor

#64 provided documentation for how users could enable TLS by providing their own certs. The story title was misleading, I've updated the PR to better reflect the work that was actually done.

The story to enable TLS for ingress by default is here and it is prioritized high in our backlog.

XanderStrike pushed a commit that referenced this issue Apr 28, 2020
@jenspinney
Bump CF K8s Networking and enable app ingress TLS by default
815041d 
* This bump of CF K8s Networking includes two changes.
  1. Removes the Status section from the Route CRD
      [#172569406](https://www.pivotaltracker.com/story/show/172569406).
  2. Changes which gateway is associated with the virtual services for
      app routes. This is part of the work needed to have app ingress routing
      support TLS by default.

* This also includes the changes to cf-for-k8s to enable app tls by
default
  1. New requirement for distinct app and system domains is documented
      in values files
  2. Fields added for new cert to values files
  3. generate-values now creates a 2nd cert for app ingress
      automatically

fixes #46

Co-authored-by: Alex Standke <astandke@vmware.com>
This was referenced Apr 29, 2020
Closed
Merged
@jamespollard8
Copy link
Contributor

Closed by #179

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
accepted known-issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@loewenstein @XanderStrike @cf-gitbot @jamespollard8 @acosta11