Skip to content

This guide contains information of how to configure TLS for ingress and route in Logging components.

Ingress NGINX Controller With TLS

It can work with generated secret using cert-manager or with custom certificates.

Route In Openshift

Route Without TLS

kind: Route
apiVersion: route.openshift.io/v1
metadata:
  name: <specify-uniq-route-name>
  namespace: <specify-namespace-where-vmstack-is-installed>
spec:
  host: <specify-your-target-host-here>
  to:
    kind: Service
    name: vmauth-k8s 
    weight: 100
  port:
    targetPort: http

Route With TLS

Edge Termination Type route will be auto generated alongwith Ingress, try to access route url.

To run Reencrypt routes please deploy monitoring without Ingress e.g. victoriametrics.vmAuth.ingress.install: false (similarly for all ingresses) and refer to the following templates as an example to manually create Openshift Routes:

kind: Route
apiVersion: route.openshift.io/v1
metadata:
  name: <specify-uniq-route-name>
  namespace: <specify-namespace-where-vmstack-is-installed>
spec:
  host: <specify-your-target-host-here>
  to:
    kind: Service
    name: vmauth-k8s 
    weight: 100
  port:
    targetPort: http
  tls:
    termination: reencrypt
    destinationCACertificate: <place-CA-certificate-here-from-created-TLS-secret>
    insecureEdgeTerminationPolicy: Redirect

Example with reference for vmauth:

apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: vmauth-route
spec:
  host: <specify-your-target-host-here>
  tls:
    termination: reencrypt
    destinationCACertificate: |-
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
    insecureEdgeTerminationPolicy: Redirect
  path: /
  to:
    kind: Service
    name: vmauth-k8s
  port:
    targetPort: http

After creating above route if you got net::ERR_TOO_MANY_REDIRECTS error on the browser then one of the possible root causes is there is HTTP traffic between balancers and the cluster which means route is not added in whitelist of the balancer. To resolve the issue connect with INFRA team to add the route to that list.

Note: We need to provide the CA certificate generated by cert-manager in the destinationCACertificate field, which you can find under Workloads > Secrets. While we used cert-manager to obtain the certificates, it can also work with custom certificates.