When I try to connect to the WebSocket through the gateway I get a 403 error

0 votes

I have deployed two services to a Kubernetes Cluster on GCP:

One is a Spring Cloud Api Gateway implementation:

apiVersion: v1
kind: Service
metadata:
  name: api-gateway
spec:
  ports:
  - name: main
    port: 80
    targetPort: 8080
    protocol: TCP
  selector:
    app: api-gateway
    tier: web
  type: NodePort

The other one is a backend chat service implementation which exposes a WebSocket at /ws/path.

apiVersion: v1
kind: Service
metadata:
 name: chat-api
spec:
  ports:
  - name: main
    port: 80
    targetPort: 8080
    protocol: TCP
  selector:
    app: chat
    tier: web
  type: NodePort

The API Gateway is exposed to internet through a Contour Ingress Controller:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: api-gateway-ingress
  annotations:
    kubernetes.io/tls-acme: "true"
    certmanager.k8s.io/cluster-issuer: "letsencrypt-prod"
    ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
  tls:
  - secretName: api-gateway-tls
    hosts:
    - api.mydomain.com.br
  rules:
  - host: api.mydomain.com.br
    http:
      paths:
      - backend:
          serviceName: api-gateway
          servicePort: 80

The gateway routes incoming calls to /chat/ path to the chat service on /ws/:

@Bean
public RouteLocator routes(RouteLocatorBuilder builder) {
    return builder.routes()
            .route(r -> r.path("/chat/**")
                    .filters(f -> f.rewritePath("/chat/(?<segment>.*)", "/ws/(?<segment>.*)"))
                    .uri("ws://chat-api"))
            .build();
}

When I try to connect to the WebSocket through the gateway I get a 403 error:

error: Unexpected server response: 403

Oct 1, 2018 in Kubernetes by lina
• 8,100 points
283 views

1 answer to this question.

0 votes

Try upgrading Contour to v0.6.0-beta.3 with IngressRoute

You can add an IngressRoute resource (crd) like this (remove your previous ingress resource):

#ingressroute.yaml
apiVersion: contour.heptio.com/v1beta1
kind: IngressRoute
metadata:
  name: api-gateway-ingress
  namespace: default
spec:
  virtualhost:
    fqdn: api.mydomain.com.br
    tls:
      secretName: api-gateway-tls
  routes:
    - match: /
      services:
        - name: api-gateway
          port: 80
    - match: /chat
      enableWebsockets: true 
      services:
        - name: api-gateway
          port: 80
answered Oct 1, 2018 by Kalgi
• 39,330 points

Related Questions In Kubernetes

0 votes
1 answer
0 votes
1 answer
0 votes
3 answers

Error while joining cluster with node

Hi Kalgi after following above steps it ...READ MORE

answered Jan 17 in Others by anonymous
1,674 views
+3 votes
1 answer
0 votes
1 answer

image can't be pulled error when I try to pull a docker image - kubernetes

I think the image is being pulled ...READ MORE

answered Sep 4, 2018 in Kubernetes by Kalgi
• 39,330 points
451 views