π‘οΈ Understanding Edge Termination in OpenShift π
In todayβs cloud-native world, securing your applications is crucial. One common question developers and DevOps engineers face is how TLS (Transport Layer Security) termination is handled within OpenShift (or Kubernetes) when setting up routes for services. Let's dive into what Edge Termination is and why it matters for your architecture. π‘
π What is Edge Termination?
Edge termination refers to how TLS traffic (the encrypted traffic that uses HTTPS) is managed when it reaches your OpenShift cluster. Here's a quick breakdown:
- Edge Termination means that the TLS encryption is terminated at the OpenShift router (the entry point of your application). In this case, the router decrypts the HTTPS traffic, and from there, the traffic is sent to your backend services as plain HTTP (unencrypted). This helps offload the encryption/decryption overhead from your internal services. πΌ
π§βπ» How Does It Work?
Imagine you have a service like thanos-remotewrite-receive. You want external clients to communicate securely over HTTPS, but within your OpenShift network, you don't need to manage TLS for internal communication. In such a case, edge termination is perfect.
In the YAML configuration below, you'll see how edge termination is set up:
tls:
termination: edge
This ensures that external clients (outside your OpenShift cluster) will use HTTPS, but the traffic to the thanos-remotewrite-receive service will be in HTTP after the router handles the encryption part. πβ‘οΈπ‘
πΌοΈ Example Configuration
To achieve this setup where external clients use HTTPS and the traffic to the thanos-remotewrite-receive service within the OpenShift cluster is in HTTP, you can configure an OpenShift route with TLS termination. The TLS termination will handle HTTPS at the router, and the traffic within the cluster can remain HTTP.
Route Configuration for TLS Termination:
Here is an example YAML file to create a route with TLS termination in OpenShift:
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: thanos-remotewrite
namespace: monitoring
spec:
host: thanos.example.com
to:
kind: Service
name: thanos-remotewrite-receive
weight: 100
port:
targetPort: 10901 # The target port for HTTP service within the cluster
tls:
termination: edge # TLS termination at the router
insecureEdgeTerminationPolicy: Redirect # Redirect HTTP to HTTPS
wildcardPolicy: None
Breakdown of Configuration:
-
TLS Termination: The router handles HTTPS, decrypting the traffic and sending HTTP to the service inside the cluster.
-
InsecureEdgeTerminationPolicy: This policy ensures that any HTTP requests are redirected to HTTPS.
-
TargetPort: Set to the port where the
thanos-remotewrite-receiveservice is running (in this case, port10901).
With this configuration, external clients connect over HTTPS, but traffic from the OpenShift router to the service (thanos-remotewrite-receive) is in plain HTTP.
This setup keeps external communications secure while simplifying internal traffic.
In the example YAML file, the route specifies termination: edge, ensuring secure external communication while simplifying internal communication.
π― Why Should You Care?
-
Better Performance: Offloading TLS termination to the OpenShift router improves the performance of your internal services by reducing the computational load.
-
Simplicity: No need to manage certificates for each service internally.
-
Security: You still maintain HTTPS security for all external traffic coming into your application.
π Connect with me:
Want to dive deeper into OpenShift routing strategies or chat about DevOps best practices? Connect with me!
Understanding how TLS termination works in OpenShift is key to building secure, high-performance applications. π I hope this post helps clarify edge termination for you! Feel free to reach out if you have any questions. π
Imported from rifaterdemsahin.com Β· 2025