IBM Security Verify

Hi,
We have installed ISVA 10.0.0.0 in a kubernetes Cluster.
We would like to expose the isva-config cli port through an Ingress controller.
we're using the following definition (yaml)

apiVersion: extensions/v1beta1 kind: Ingress metadata: name: isva.xxx.yyy.net spec: rules: - host: isva.xxx.yyy.net http: paths: - backend: serviceName: verify-access-isvaconfig servicePort: 9443 path: / pathType: ImplementationSpecific status:n loadBalancer: ingress: - ip: 10.yyy.nn.1 - ip: 10.yyy.nn.2 - ip: 10.yyy.nn.3 ​
And as far as we can tell Ingress has no problems with the syntax.

But all we get when going to the host ivsa.xxx.yyy.net  is

<html> <head><title>502 Bad Gateway</title></head> <body> <center><h1>502 Bad Gateway</h1></center> <hr><center>nginx/1.17.10</center> </body> </html> ​
Simple question -- why is this? Shouldn't the 9443 port be made accessible via Ingress??

Thanks in advance


------------------------------
Anders Domeij
CGI Sweden AB
------------------------------

Anders,

This is the ingress definition that I use:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: isvaconfig
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
  tls:
  - hosts:
    - lmi.iamlab.ibm.com
  rules:
  - host: lmi.iamlab.ibm.com
    http:
      paths:
      - path: /
        backend:
          serviceName: isvaconfig
          servicePort: 9443

Perhaps that can help you?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Mon August 31, 2020 07:51 AM
From: Anders Domeij
Subject: ISVA on Kubernetes -- port 9443 for ISVA-config not seen in Ingress

Hi,
We have installed ISVA 10.0.0.0 in a kubernetes Cluster.
We would like to expose the isva-config cli port through an Ingress controller.
we're using the following definition (yaml)

apiVersion: extensions/v1beta1kind: Ingressmetadata: name: isva.xxx.yyy.netspec: rules: - host: isva.xxx.yyy.net http: paths: - backend: serviceName: verify-access-isvaconfig servicePort: 9443 path: / pathType: ImplementationSpecificstatus:n loadBalancer: ingress: - ip: 10.yyy.nn.1 - ip: 10.yyy.nn.2 - ip: 10.yyy.nn.3​
And as far as we can tell Ingress has no problems with the syntax.

But all we get when going to the host ivsa.xxx.yyy.net  is

<html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center>nginx/1.17.10</center></body></html>​
Simple question -- why is this? Shouldn't the 9443 port be made accessible via Ingress??

Thanks in advance


------------------------------
Anders Domeij
CGI Sweden AB
------------------------------

Thanks Jon,
problem solved!


we (the configuration tool) missed the
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
annotation.
As did we when checking the YAML.


------------------------------
Anders Domeij
CGI Sweden AB
------------------------------

Original Message:
Sent: Wed September 02, 2020 12:55 PM
From: Jon Harry
Subject: ISVA on Kubernetes -- port 9443 for ISVA-config not seen in Ingress

Anders,

This is the ingress definition that I use:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: isvaconfig
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
  tls:
  - hosts:
    - lmi.iamlab.ibm.com
  rules:
  - host: lmi.iamlab.ibm.com
    http:
      paths:
      - path: /
        backend:
          serviceName: isvaconfig
          servicePort: 9443

Perhaps that can help you?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon August 31, 2020 07:51 AM
From: Anders Domeij
Subject: ISVA on Kubernetes -- port 9443 for ISVA-config not seen in Ingress

Hi,
We have installed ISVA 10.0.0.0 in a kubernetes Cluster.
We would like to expose the isva-config cli port through an Ingress controller.
we're using the following definition (yaml)

apiVersion: extensions/v1beta1kind: Ingressmetadata: name: isva.xxx.yyy.netspec: rules: - host: isva.xxx.yyy.net http: paths: - backend: serviceName: verify-access-isvaconfig servicePort: 9443 path: / pathType: ImplementationSpecificstatus:n loadBalancer: ingress: - ip: 10.yyy.nn.1 - ip: 10.yyy.nn.2 - ip: 10.yyy.nn.3​
And as far as we can tell Ingress has no problems with the syntax.

But all we get when going to the host ivsa.xxx.yyy.net  is

<html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center>nginx/1.17.10</center></body></html>​
Simple question -- why is this? Shouldn't the 9443 port be made accessible via Ingress??

Thanks in advance


------------------------------
Anders Domeij
CGI Sweden AB
------------------------------