[GitHub] [apisix-helm-chart] MirtoBusico commented on issue #235: Request help: how to enable a private certification authority in gateway?

Sun, 27 Feb 2022 01:14:27 -0800 


MirtoBusico commented on issue #235:
URL: 
https://github.com/apache/apisix-helm-chart/issues/235#issuecomment-1053405075


   Well my framework is:
   
   - a client machine for browser access - resolves addresses with these lines 
in /etc/hosts file
   ```
   192.168.102.120  m01serv m01serv.m01.net
   192.168.102.120  k6k k6k.m01.net
   192.168.102.120  njsapp njsapp.m01.net
   
   192.168.102.121  reg.m01.net
   192.168.102.121  m01km m01km.m01.net
   192.168.102.121  www.m01.net
   192.168.102.121  api.m01.net
   192.168.102.121  www2.m01.net
   192.168.102.121  api2.m01.net
   192.168.102.121  lh.m01.net
   
   192.168.102.122  m01kw1 m01kw1.m01.net
   
   192.168.102.123  m01kw2 m01kw2.m01.net
   ```
   
   -  a virtual machine (m01serv) for cluster external services (as keycloak, 
DNS ...) resolves addresses using the local DNS service
   - a kubernetes cluster that uses K3S - every node resolves addresses using 
the DNS service on m01serv
     - m01km master and worker node 
     - m01kw1 a worker node
     - m01kw2 a worker node
   
   In this framework the Istio service mesh is installed on every node and 
Apisix is installed with loadbalancer access as ingress controller
   
   In all the nodes the private CA certificate is installed in the OS, so you 
can access the keycloak server (https://k6k.m01.net) without having the "unable 
to get local issuer certificate" issue
   
   With apisix used as ingress controller for the cluster I'm using the 
**openid-connect** and **authz-keycloak** plugins and they works correctly 
accessing  the keycloak server (https://k6k.m01.net) that is outside the 
cluster.
   Maybe those plugins don't do a strict certificate verification
   
   In my mind when the plugin accesses the external keycloak server the request 
should be originated from the apisix pod and I should be able to curl the 
keycloak server from the same pod.
   
   BTW until the two plugins work correctly, i don't need to have the private 
CA certificate recognized by apisix
   You can close the thread.
   Thanks for your time
   
   
   
   
   
   
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to