TLS Termination Types in OpenShift - unix1998/technical_notes GitHub Wiki

In the context of an OpenShift Route, termination: edge specifies the type of TLS (Transport Layer Security) termination being used. TLS termination refers to the point at which encrypted SSL/TLS traffic is decrypted. OpenShift supports several types of TLS termination, and edge is one of them.

TLS Termination Types in OpenShift

1. Edge Termination:

   • Definition: With edge termination, SSL/TLS encryption is terminated at the OpenShift Router. This means that the traffic between the client and the OpenShift Router is encrypted, but the traffic between the router and the backend service (your application) is unencrypted HTTP.
   • Use Case: Useful when you need to ensure encryption over the public internet but don't require encryption within the cluster.
   • Example:

     tls:
       termination: edge
     

2. Passthrough Termination:

   • Definition: With passthrough termination, SSL/TLS traffic is not terminated at the router but is instead passed through to the backend service, which then handles the SSL/TLS termination. This means that the entire path from the client to the backend service is encrypted.
   • Use Case: Useful when the backend service itself needs to manage the SSL certificates and the encrypted traffic.
   • Example:

     tls:
       termination: passthrough
     

3. Re-encrypt Termination:

   • Definition: With re-encrypt termination, SSL/TLS traffic is terminated at the router and then re-encrypted before being sent to the backend service. This ensures encryption throughout the entire path.
   • Use Case: Useful when you need end-to-end encryption, including within the cluster.
   • Example:

     tls:
       termination: reencrypt
     

Explanation of termination: edge

When you specify termination: edge in your Route configuration, it means:

• The OpenShift Router will handle the SSL/TLS encryption and decryption.
• The communication between the client (browser or other external system) and the router will be encrypted using HTTPS.
• The communication between the router and your backend service (Nginx in this case) will be unencrypted HTTP.

Here's the relevant part of your Route configuration with termination: edge:

apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: nginx-route
  labels:
    app: nginx
spec:
  to:
    kind: Service
    name: nginx-service
  port:
    targetPort: 80
  tls:
    termination: edge
  wildcardPolicy: None

When to Use Edge Termination

• Simplified Certificate Management: You only need to manage SSL/TLS certificates on the OpenShift Router, not on each backend service.
• Performance: Edge termination can reduce the computational overhead on your backend services since they don’t need to handle SSL/TLS encryption and decryption.
• Security: Provides a good balance of security and performance by ensuring encrypted traffic over public networks while keeping internal traffic unencrypted.

Summary

termination: edge in an OpenShift Route configuration specifies that SSL/TLS termination should occur at the OpenShift Router, providing encrypted communication between the client and the router but not between the router and the backend service. This setup is suitable for many scenarios where securing public traffic is necessary but encryption within the cluster is not critical.