Support https in the OpenShift apicast template

[radarlui]

There should be an OpenShift template for deploying the nginx gateway on OpenShift with a service supporting https. The key and certificate for the ssl config come from the volume of an OpenShift secret.

[mikz]

That would work only for one service. Gateway has to support multiple, so it has to use ssl_certificate_by_lua to find right certificate for the domain name.

[jmprusi]

If we terminate the SSL at the router layer, we can use a "Re-Encryption" route, the openshift router will validate the SSL cert based on the CA (not on host) and we don't need to do the SNI work right now.

This way we can have SSL everywhere.

https://docs.openshift.com/enterprise/3.0/architecture/core_concepts/routes.html#re-encryption-termination

Or even use a multiple domain SSL certificate / wildcard until we have the SNI implemented.

[mikz]

This can be solved by #141. Combined with https://github.com/3scale/apicast/tree/v2/examples/custom-config can have multiple hosts with different certificates.

Will have native TLS support in the future, but now can be resolved by customizations.

[andrewdavidmackenzie]

Joaquim, can you tell us if that workaround will continue to be supported in OpenShift 1.4?

[jmprusi]

@andrewdavidmackenzie yes, this is a type of route in openshift, I can't see why they are going to remove it in the future.

Once we have proper support in apicast, we can change the route type to passthrough and let apicast handle the sni.

[andrewdavidmackenzie]

I heard something mentioned about dropping support for self-signed certificates, or something similar...