I am using Bridge To Kubernets to develop a Asp.Net Core API application locally.
The service uses Swagger that has a Login button to get OAuth2 token. The OAuth flow requires HTTPS protocl.
When running the service locally with Bridge to Kubernetes, I noticed that the service only listens on HTTP not HTTPS.
Searched documentation on Microsoft but no mentions of HTTPS.
Searched source code in GitHub and seems Bridge To Kubernetes only supports HTTP.
Just want to see if there is a workaround or it does not support HTTPS at all.
Finally, I figured out a way to do it by overwriting an environment variable URLS.
In the KubernetesLocalProcessConfig.yaml file,
- name: URLS
value: https://localhost:5001
This will make local service listening on HTTPS and port 5001.
The code helps me to see all the environment variables,
foreach (var c in builder.Configuration.AsEnumerable())
{
Console.WriteLine(c.Key + " = " + c.Value);
}
Related
New to Container Apps.
I'm trying to understand basic connectivity between services in Container Apps.
Lets say I have a web front in .Net Core and an Web API backend (.Net Core).
Without containerization, I could put the base address of my web api in my app settings of the front end to connect to the api, lets say localhost:5000 etc. Using an httpClient to do the call.
If I containerize the front end and api and deploy it to ACA, what would that look like? I think its would be like:
Ingress external for front end
Ingress internal for api
Port 80 for both front end and web api????
Or do I need to setup a base address of some sort to call the web api? Or an environment variable?
I put both ports to 80 but they cannot seem to connect.
Thanks!
In your "Without containerization" example, if your web ui is running on localhost:8080 for example, and your API is running on localhost:5000 then you'll need to enable CORS on the api. In That example, both your web ui and your api are "external". Anything you need to call from a browser is 'external'.
Internal only are for server to server communication, or microservices communicating with each other.
In your example, you'd deploy both as external apps, this will give you 2 domains https://webui.env.region.azurecontainerapps.io and https://api.env.region.azurecontainerapps.io then you will configure a CORS policy on the api app.
see this for more details
We are doing some server set up.
We are using a Api gateway(Ocelot) installed on the server Y which will connect to Apis hosted on server X.
Server X also has a react application.
Server Y is accessible over Internet where as server X is accessible from server Y.
Now the Apis are working perfectly but the react application is not opening through the ocelot ( server Y).
So question is will ocelot open react application?
Are you deploying the ocelot api gateway in a DMZ and the react-app and web services, database behind the firewall and allow only specific access via browser, mobile.
is this a pwa site, then you should be careful about using ocelot for something that is not intended for. ocelot is an api gateway tool/technology and not unlike nginx that can perform this additional activity of routing the calls to web application and web services.
please check the documentation of ocelot api gateway, if it allows for web application routing as well.
We followed below link to setup WSo2 API manager 3.2.0 in kubernetes setup, we didnt configure analytics and we used persistent volumes for mysql and API Manager.
https://github.com/wso2/kubernetes-apim/blob/3.2.x/simple/kubernetes-apim/wso2apim-deployment.yaml
whenever we try to login publisher and devportal it is redirecting login url along with port( we configured callback urls in /carbon portal without ports).
it should be redirecting to https://wso2apim/authenticationendpoint/login.do, but it is redirecting to https://wso2apim:9443/authenticationendpoint/login.do
You need to set proxy ports as follows in the deployment toml.
[transport.https.properties]
proxyPort = 443
https://github.com/wso2/kubernetes-apim/blob/3.2.x/advanced/am-pattern-1/templates/am/instance-1/wso2am-pattern-1-am-conf.yaml#L291-L292
I cannot for the life of me get the AWS API Gateway HTTP Proxy to work, i.e. redirect http://<my-domain>.com to https://<my-domain>.com. Here is how I set it up:
Using the Test functionality on the ANY method inside the resource works. But if I simply do curl http://<my-domain>.com or run http://<my-domain>.com in Chrome, it fails to connect; https://<my-website>.com works just fine. I'm driving myself crazy trying to figure out what I'm missing here; it seems like it should just redirect http://<my-domain>.com to https://<my-domain>.com, but it doesn't (even on different devices).
So, it turns out that API Gateway's HTTP Proxy allows HTTPS traffic to go to an HTTP endpoint, but not the reverse. In fact, API Gateway won't even establish a connection on port 80; from the FAQ:
Q: Can I create HTTPS endpoints?
Yes, all of the APIs created with Amazon API Gateway expose HTTPS
endpoints only. Amazon API Gateway does not support unencrypted (HTTP)
endpoints.
API Gateway doesn't support unencrypted HTTP traffic. Here are the possible options you can do to secure your website:
If you have access to the server that hosts the website, install an SSL certificate to the webserver.
If the website is hosted on EC2, you can set up a load balancer and let it do the SSL termination.
Kubernetes surfaces an API proxy, which allows querying the internal services via eg: https://myhost.com/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard/
This is all well, and good. However, for security & compliance reasons, all of our services expose an HTTPS endpoint. Attempting to access them by going to https://myhost/api/v1/proxy/namespaces/default/services/myhttpsservice:3000/ results in
Error: 'read tcp 172.20.122.129:48830->100.96.29.113:3000: read: connection reset by peer'
Trying to reach: 'http://100.96.29.113:3000/'
Because the endpoint, 100.96.29.113:3000 is in fact https.
Is there any way to configure the proxy to apply SSL to specific service endpoints?
(Edit: If this is not currently possible, a relevant github issue link for tracking the feature request is also acceptable answer until it will be)
As documented at https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#manually-constructing-apiserver-proxy-urls, (and pointed out on slack), you can access services behind HTTPS by prefixing the servicename with "https:" ;
Using the example from above, correctly it would be: https://myhost/api/v1/proxy/namespaces/default/services/https:myhttpsservice:3000/