Imagine to have this scenario:
- An API Gateway
- A Backend Service
deployted on a Kuberantes cluster. Also we have:
- An external authenticated service (imagine an external web application out from our infrastructure).
The backend needs to access to the external service, but first he needs to get an auth token via the login endpoint.
Problem 1: This endpoint return something like this:
"eyJhbGciOiJS..."
Basically, a string. Unluckly, the backend service requires a structure like this instead:
{
"token": "eyJhbGciOiJS..."
}
Now, in order to do so, I want to call instead my API Gateway and try to rewrite the response. To do so, first I create an ExternalName Service on the cluster:
apiVersion: v1
kind: Service
metadata:
name: <service-name>
namespace: <namespace>
spec:
type: ExternalName
externalName: <external-service-host>
and also an ingress that points to the API Gateway which will redirect on the ExternalName Service:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: <ingress-name>
namespace: <namespace>
annotations:
kubernetes.io/tls-acme: 'true'
cert-manager.io/cluster-issuer: letsencrypt-production
spec:
ingressClassName: nginx
tls:
- secretName: <tls-secret-name>
hosts:
- <host>
rules:
- host: <host>
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: <api-gateway-service-name>
port:
number: <api-gateway-service-port>
Everything till now works fine. The fault occurs the last step, when the ExternalService send the actual request on the . I tried to do the login via Insomnia, and that's what pops out:
{
"message": "The method is not allowed for the requested URL."
}
and this is the timeline:
[...]
> POST /auth/login HTTP/2
> Host: <host>/auth/login
> content-type: application/json
> user-agent: insomnia/2023.5.8
> accept: */*
> content-length: 66
[...]
< HTTP/2 301
< date: Fri, 27 Oct 2023 15:45:58 GMT
< content-type: text/html
< location: <external-service>/auth/login
< vary: Origin
< access-control-allow-origin: *
< access-control-allow-methods: GET,POST,PUT,DELETE,PATCH,HEAD,OPTIONS,CONNECT,TRACE
< access-control-max-age: 5
< access-control-expose-headers: **
< access-control-allow-credentials: true
< strict-transport-security: max-age=15724800; includeSubDomains
[...]
* Connection #105 to host <host> left intact
* Issue another request to this URL: '<external-service>/auth/login'
* Switch from POST to GET <------ NOT GOOD
[...]
> GET /auth/login HTTP/2
> Host: <external-service>
> content-type: application/json
> user-agent: insomnia/2023.5.8
> accept: */*
[...]
As you can see, out of nowhere, it decides to switch from POST request to GET one when it tries to redirect from HTTP to HTTPS protocol. Of course, it will results in a 405 (method not allowed), which makes it useless.
So, here I'm, wondering if there is any way to use the ExternalName Service without trying, in the first instance, with HTTP connection but HTTPS in order to skip the method rewriting.
P.S. I also tried to connect the backend service with the API Gateway in order to ensure that the same problem occurs both with Insomnia and the software itself. As you can imagine, it happens.
