Skip to main content
Version: 3.0

Access Web Console when using Istio service mesh

Applicable to both Classic and Federated modes

This document describes how to access Portworx Backup UI when using Istio service mesh with istio-sidecar enabled in your Kubernetes cluster.

note

Before Portworx Backup Pods can participate in the Istio service mesh, the Namespace must have sidecar injection enabled. Label the Portworx Backup Namespace accordingly:

kubectl label namespace <pxb-namespace> istio-injection=enabled

If you are using Istio with a revision label (for example, with istioctl managed installations), use the revision-specific label instead:

kubectl label namespace <pxb-namespace> istio.io/rev=<revision>

For more information, see Enable mTLS.

You have the following options to access the Portworx Backup UI:

If multiple applications share the same URL prefix or are behind the same Istio ingress, you can also configure a dedicated hostname for Portworx Backup UI with Istio.

Normal HTTP access via ingress-gateway

Once the Pods are up and running, you can access the backup UI through the Istio ingress gateway. Fetch the node port of the istio-ingressgateway service from istio-system (for port 80):

kubectl get svc istio-ingressgateway -n istio-system -o jsonpath='{.spec.ports[?(@.port==80)].nodePort}'

The UI URL is <master-node-ip>:<ingress-nodeport>.

Access via OpenShift route

To access the backup UI via an OpenShift route, create a new route in the istio-system Namespace by following these steps:

  • Navigate to Networking > Routes, select the project istio-system, and click Create Route.
  • Provide a relevant name.
  • Select the service istio-ingressgateway.
  • Select target port 80-8080 (TCP) and click Create.

The created route can be used to access the Portworx Backup UI.

HTTPS access via ingress-gateway

To access the backup UI over HTTPS via Istio ingress-gateway, follow one of these options:

Configuring HTTPS access to the Portworx Backup UI via OpenShift route

Portworx Backup on OpenShift with Istio+mTLS can be exposed through the OpenShift router using one of two mutually exclusive modes.

  • Route Passthrough → TLS terminates at Istio (recommended if you want Istio to present the certificate)

  • Route Edge → TLS terminates at the OpenShift router (Istio receives HTTP)

Option 1: route passthrough (TLS at Istio)

  1. Create a TLS secret for Istio (server cert + key):
    • Option A: you already have a cert/key (PEM) 
      kubectl -n istio-system create secret tls tls-secret \
          --cert=/path/to/server.crt \
          --key=/path/to/server.key
    • Option B: generate a self-signed cert for the Route FQDN 
      FQDN="pxb-route-istio-system.apps.<ocp-domain>"
      openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
      -subj "/CN=${FQDN}" \
      -addext "subjectAltName=DNS:${FQDN}" \
      -keyout server.key -out server.crt

      kubectl -n istio-system create secret tls tls-secret \
      --cert=server.crt --key=server.key
  2. Create an OpenShift Route (Passthrough) to Istio. Create a new passthrough route (or patch an existing one): 
     oc create route passthrough pxb-route \
     -n istio-system \
     --service=istio-ingressgateway \
     --port=https \
     --hostname=pxb-route-istio-system.apps.<ocp-domain>
     
     # If already created, force the correct settings:
     oc patch route pxb-route -n istio-system --type=merge -p \
     '{"spec":{"tls":{"termination":"passthrough"},"port":{"targetPort":"https"}}}'
  3. Update Istio Gateway in the px-backup namespace that listens on port 443 (HTTPS) and references a TLS secret stored in the istio-system namespace. 
    apiVersion: networking.istio.io/v1
    kind: Gateway
    metadata:
    name: pxbackup-gateway
    namespace: px-backup
    spec:
    selector:
        istio: ingressgateway
    servers:
    - port:
        number: 443
        name: https
        protocol: HTTPS
        tls:
        mode: SIMPLE
        credentialName: tls-secret     # secret with tls.crt/tls.key in istio-system
        hosts:
        - pxb-route-istio-system.apps.<ocp-domain>
  4. Update VirtualService (route to Portworx Backup UI): 
     apiVersion: networking.istio.io/v1
     kind: VirtualService
     metadata:
     name: pxbackup-ui-vs
     namespace: px-backup
     spec:
     hosts:
     - pxb-route-istio-system.apps.<ocp-domain>
     gateways:
     - pxbackup-gateway
     http:
     - match:
         - uri:
             prefix: /
         route:
         - destination:
             host: px-backup-ui.px-backup.svc.cluster.local
             port:
             number: 80
  5. Access the Portworx Backup UI via the Route. Open your browser to https://pxb-route-istio-system.apps.<ocp-domain>/.

Option 2: route edge termination

Use this when you want the OpenShift router to terminate HTTPS with its own certificate. The router speaks HTTP to the Istio ingressgateway, and Istio then routes to the Portworx Backup UI.

  1. Create the OpenShift Route (Edge). Use the name of the 80/TCP port from the service (usually http2):

     HTTP80_NAME=$(oc get svc istio-ingressgateway -n istio-system \
     -o jsonpath='{range .spec.ports[?(@.port==80)]}{.name}{"\n"}{end}')

     # Create (or patch) the Route for edge TLS + redirect to https
     oc create route edge pxb-route \
     -n istio-system \
     --service=istio-ingressgateway \
     --port="${HTTP80_NAME}" \
     --hostname=pxb-route-istio-system.apps.<ocp-domain> \
     --insecure-policy=Redirect 2>/dev/null || \
     
     oc patch route pxb-route -n istio-system --type=merge -p \
     "{\"spec\":{\"tls\":{\"termination\":\"edge\",\"insecureEdgeTerminationPolicy\":\"Redirect\"}}}"

  2. Configure the Istio Gateway (HTTP-only)

     apiVersion: networking.istio.io/v1
     kind: Gateway
     metadata:
     name: pxbackup-gateway
     namespace: px-backup
     spec:
     selector:
         istio: ingressgateway
     servers:
     - port:
         number: 80
         name: http
         protocol: HTTP
         hosts:
         - pxb-route-istio-system.apps.<ocp-domain>

  3. Create the VirtualService (HTTP route to Portworx Backup UI):

     apiVersion: networking.istio.io/v1
     kind: VirtualService
     metadata:
     name: pxbackup-ui-vs
     namespace: px-backup
     spec:
     hosts:
     - pxb-route-istio-system.apps.<ocp-domain>
     gateways:
     - pxbackup-gateway
     http:
     - match:
         - uri:
             prefix: /
         route:
         - destination:
             host: px-backup-ui.px-backup.svc.cluster.local
             port:
             number: 80

  4. (Recommended) Preserve X-Forwarded-Proto: https through Istio Because TLS is terminated at the router, apps might need to know the original scheme to generate https:// links. Ensure the ingress gateway trusts the router as a single proxy hop so it preserves X-Forwarded-* headers:

    kubectl -n istio-system patch deploy istio-ingressgateway \
    -p '{"spec":{"template":{"metadata":{"annotations":{"proxy.istio.io/config":"{\"gatewayTopology\":{\"numTrustedProxies\":1}}"} }}}}'

  5. Access the Portworx Backup UI via the Route. Open your browser to https://pxb-route-istio-system.apps.<ocp-domain>/.

Configuring HTTPS access to the Portworx Backup UI via external load balancer

When using Istio as the ingress layer in a Kubernetes cluster (for example with a LoadBalancer service managed via MetalLB), follow these additional steps to securely expose the Portworx Backup UI over HTTPS:

  1. Ensure your istio-ingressgateway service is exposed with a public/external IP or hostname.
    • Example: Use an IP address pool with MetalLB and deploy a LoadBalancer service of istio-ingressgateway.
    • Verify using the command: 
      kubectl get svc -n istio-system istio-ingressgateway
      You should see an EXTERNAL-IP (e.g., 10.13.239.201).
  2. Update Istio Gateway in the px-backup namespace that listens on port 443 (HTTPS) and references a TLS secret stored in the istio-system namespace. 
     apiVersion: networking.istio.io/v1beta1
     kind: Gateway
     metadata:
     name: pxbackup-gateway
     namespace: px-backup
     spec:
     selector:
         istio: ingressgateway
     servers:
     - port:
         number: 443
         name: https
         protocol: HTTPS
         tls:
         mode: SIMPLE
         credentialName: tls-secret    
         hosts:
         - "pxb-ui.yourdomain.com"
         - "10.13.239.201"
  3. Update VirtualService in the px-backup namespace that routes traffic from the Gateway to the px-backup-ui service. 
     apiVersion: networking.istio.io/v1beta1
     kind: VirtualService
     metadata:
     name: pxbackup-ui-vs
     namespace: px-backup
     spec:
     hosts:
     - "pxb-ui.yourdomain.com"
     - "10.13.239.201"
     gateways:
     - pxbackup-gateway
     http:
     - match:
         - uri:
             prefix: /
         route:
         - destination:
             host: px-backup-ui.px-backup.svc.cluster.local
             port:
             number: 80
  4. Ensure the TLS certificate used in tls-secret is valid for the hostname or IP you are exposing (e.g., pxb-ui.yourdomain.com or the external IP). The certificate's SAN must include the host you will use to access the UI.
  5. Once the spec is applied, you can access the UI via https://<hostname-or-external-IP>. Example: https://10.13.239.201.

Configure a dedicated hostname for Portworx Backup UI with Istio

When multiple apps share the same URL prefix or are behind the same Istio ingress, set a unique hostname for Portworx Backup so routing is done by host instead of path. You can pass this via Helm: --set istio.hostName=<your.fqdn>.

OpenShift

  • Choose a unique FQDN under your OpenShift apps domain, e.g.:

    pxbroute-istio-system.apps.<ocp-domain>

  • Install/upgrade: Pass the hostname through Helm:

    helm install px-central portworx/px-central --version <Variable name="pxbVer_3.0.0"/> \
      --namespace px-backup --create-namespace \
      --set istio.enabled=true \
      --set istio.hostName=pxbroute-istio-system.apps.<ocp-domain>

    This sets the Portworx Backup VirtualService spec.hosts to your hostname (instead of *).

  • Create (or patch) the OpenShift Route to the Istio ingress

    The Route lives in istio-system and points at the istio-ingressgateway Service.

    oc create route edge pxb-route \
      -n istio-system \
      --service=istio-ingressgateway \
      --port=http2 \
      --hostname=pxbroute-istio-system.apps.<ocp-domain>

  • Ensure the VirtualService uses the hostname.

    # pxcentral-virtualservice.yaml
    apiVersion: networking.istio.io/v1
    kind: VirtualService
    metadata:
      name: pxcentral-virtualservice
      namespace: px-backup
    spec:
      gateways:
      - pxcentral-gateway
      hosts:
      - pxbroute-istio-system.apps.<ocp-domain>  
      http:
      - match:
        - uri:
            prefix: /
        route:
        - destination:
            host: px-central-ui.px-backup.svc.cluster.local
            port:
              number: 80

  • Access the UI:

    http://pxbroute-istio-system.apps.<ocp-domain>/

Other Kubernetes

  • Pick a unique FQDN, e.g.:

    pxb.local.com

  • Install/upgrade:

    helm install px-central portworx/px-central --version <Variable name="pxbVer_3.0.0"/> \
      --namespace px-backup --create-namespace \
      --set istio.enabled=true \
      --set istio.hostName=pxb.local.com

  • Point the name to your ingress:

    • If you have a LoadBalancer: create a DNS A-record → <LB_IP>.
    • If you're using NodePort for testing: add to /etc/hosts on your workstation: 
      <node-ip> pxb.local.com
      Then open http(s)://pxb.local.com:<ingress-gateway-nodeport>/.
Last updated on