OpenShift route TLS termination: edge, passthrough and reencrypt

openshift route TLS edge passthrough reencrypt

2 min read | by Jordi Prats

To be able to expose a service externally on OpenShift we can use the Route object. Generally speaking, Routes can be either secured or unsecured, in case we choose to use a secured route we can configured it to work in three different ways: edge, passthrough and reencrypt.

  • edge: TLS termination occurs at the router before sending traffic to the Pod, having to configure the TLS certificates at the route.
  • passthrough: TLS termination occurs at the Pod, so the TLS certificates needs to be configured at the Pod. Hence there's no need to configure a TLS certificate in the Route object.
  • reencrypt: A combinations the previous two: TLS terminates at the router, but a new TLS connection is established between the router and the Pod. With this configuration we need to configure TLS certificates at the Route level and the Pod level.

So basically it comes down to:

  • If traffic can be sent unencrypted within the cluster (or there's a ServiceMesh in place that transparently encrypts internal traffic), edge is a good choice since it's not going to compromise security.
  • If you want the Pod to handle TLS certificates instead of using the Route object, use passthrough.
  • When you have a backend that uses TLS certificates but want clients to use a different certificate, use reencrypt. However, using this setup you'll have to handle TLS certificates on the Route and on the Pods.

Posted on 28/11/2022