Access Web Console when using Istio service mesh
This document describes how to access Portworx Backup UI when using Istio service mesh with istio-sidecar enabled in your Kubernetes cluster. You have the following options to access the Portworx Backup UI:
- Normal HTTP access via istio-ingress-gateway
- Access via OpenShift route
- HTTPS access via Ingress Gateway
In case you have multiple applications sharing the same URL prefix/behind the same Istio ingress, you can also configure a dedicated hostname for Portworx Backup UI with Istio.
Normal HTTP access via ingress-gateway
Once the pods are up and running, backup UI can be accessed with the help of Istio ingress gateway. Fetch the node port of istio-ingressgateway svc from istio-system (w.r.t port 80)
kubectl get svc istio-ingressgateway -n istio-system -o jsonpath='{.spec.ports[?(@.port==80)].nodePort}'
UI URL should be <master-node-ip>:<ingress-nodeport>
Access via OpenShift route:
To access the backup UI via OpenShift route, create a new route in istio-system namespace by following the below steps:
- Navigate to Networking -> Routes, select the project
istio-systemand click on Create Route. - Provide a relevant name
- Select service as
istio-ingressgateway - Select target port as 80-8080 (TCP) and click on create
The created route can be used to access the Portworx backup UI
HTTPS access via ingress-gateway
To access the backup UI over HTTPS via Istio ingress-gateway follow any of the below options:
Configuring HTTPS access to the Portworx Backup UI via OpenShift Route
Portworx Backup on OpenShift with Istio+mTLS can be exposed through the OpenShift router using one of two mutually exclusive modes.
-
Route Passthrough → TLS terminates at Istio (recommended if you want Istio to present the certificate)
-
Route Edge → TLS terminates at the OpenShift router (Istio receives HTTP)
Option 1: Route Passthrough (TLS at Istio) .
- Create a TLS secret for Istio (server cert + key)**
- Option A: you already have a cert/key (PEM)
kubectl -n istio-system create secret tls tls-secret \
--cert=/path/to/server.crt \
--key=/path/to/server.key - Option B: generate a self-signed cert for the Route FQDN
FQDN="pxb-route-istio-system.apps.<ocp-domain>"
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-subj "/CN=${FQDN}" \
-addext "subjectAltName=DNS:${FQDN}" \
-keyout server.key -out server.crt
kubectl -n istio-system create secret tls tls-secret \
--cert=server.crt --key=server.key
- Option A: you already have a cert/key (PEM)
- Create an OpenShift Route (Passthrough) to Istio
Create new passthrough route (or patch an existing one)
oc create route passthrough pxb-route \
-n istio-system \
--service=istio-ingressgateway \
--port=https \
--hostname=pxb-route-istio-system.apps.<ocp-domain>
# If already created, force the correct settings:
oc patch route pxb-route -n istio-system --type=merge -p \
'{"spec":{"tls":{"termination":"passthrough"},"port":{"targetPort":"https"}}}' - Update Istio Gateway in the px-backup namespace that listens on port 443 (HTTPS) and references a TLS secret stored in the istio-system namespace.
apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
name: pxbackup-gateway
namespace: px-backup
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: tls-secret # secret with tls.crt/tls.key in istio-system
hosts:
- pxb-route-istio-system.apps.<ocp-domain> - Update VirtualService (route to PX-Backup UI)
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
name: pxbackup-ui-vs
namespace: px-backup
spec:
hosts:
- pxb-route-istio-system.apps.<ocp-domain>
gateways:
- pxbackup-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
host: px-backup-ui.px-backup.svc.cluster.local
port:
number: 80 - Access the PX-Backup UI via the Route
Open your browser to
https://pxb-route-istio-system.apps.<ocp-domain>/.
Option 2 : Route Edge termination
Use this when you want the OpenShift router to terminate HTTPS with its own certificate . The router speaks HTTP to the Istio ingressgateway, Istio then routes to PX-Backup UI.
-
Create the OpenShift Route (Edge) Use the name of the 80/tcp port from the svc (usually "http2")
HTTP80_NAME=$(oc get svc istio-ingressgateway -n istio-system \
-o jsonpath='{range .spec.ports[?(@.port==80)]}{.name}{"\n"}{end}')
# Create (or patch) the Route for edge TLS + redirect to https
oc create route edge pxb-route \
-n istio-system \
--service=istio-ingressgateway \
--port="${HTTP80_NAME}" \
--hostname=pxb-route-istio-system.apps.<ocp-domain> \
--insecure-policy=Redirect 2>/dev/null || \
oc patch route pxb-route -n istio-system --type=merge -p \
"{\"spec\":{\"tls\":{\"termination\":\"edge\",\"insecureEdgeTerminationPolicy\":\"Redirect\"}, -
Configure the Istio Gateway (HTTP-only)
apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
name: pxbackup-gateway
namespace: px-backup
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- pxb-route-istio-system.apps.<ocp-domain> -
Create the VirtualService (HTTP route to PX-Backup UI)
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
name: pxbackup-ui-vs
namespace: px-backup
spec:
hosts:
- pxb-route-istio-system.apps.<ocp-domain>
gateways:
- pxbackup-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
host: px-backup-ui.px-backup.svc.cluster.local
port:
number: 80 -
(Recommended) Preserve X-Forwarded-Proto: https through Istio Because TLS is terminated at the router, apps might need to know the original scheme to generate
https://links. Ensure the ingress gateway trusts the router as a single proxy hop so it preservesX-Forwarded-*headers:kubectl -n istio-system patch deploy istio-ingressgateway \
-p '{"spec":{"template":{"metadata":{"annotations":{"proxy.istio.io/config":"{\"gatewayTopology\":{\"numTrustedProxies\":1}}"} }}}}' -
Access the PX-Backup UI via the Route Open your browser to
https://pxb-route-istio-system.apps.<ocp-domain>/.
Configuring HTTPS Access to the Portworx Backup UI via External Load Balancer
When using Istio as the ingress layer in an kubernetes cluster (for example with a LoadBalancer service managed via MetalLB), follow these additional steps to securely expose the Portworx Backup UI over HTTPS:
- Ensure your
istio-ingressgatewayservice is exposed with a public/external IP or hostname.- Example: Use an IP address pool with MetalLB and deploy a LoadBalancer service of
istio-ingressgateway. - Verify using the command:
You should see an
kubectl get svc -n istio-system istio-ingressgatewayEXTERNAL-IP(e.g.,10.13.239.201).
- Example: Use an IP address pool with MetalLB and deploy a LoadBalancer service of
- Update Istio Gateway in the
px-backupnamespace that listens on port 443 (HTTPS) and references a TLS secret stored in theistio-systemnamespace.apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: pxbackup-gateway
namespace: px-backup
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: tls-secret
hosts:
- "pxb-ui.yourdomain.com"
- "10.13.239.201" - Update VirtualService in the
px-backupnamespace that routes traffic from the Gateway to thepx-backup-uiservice.apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: pxbackup-ui-vs
namespace: px-backup
spec:
hosts:
- "pxb-ui.yourdomain.com"
- "10.13.239.201"
gateways:
- pxbackup-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
host: px-backup-ui.px-backup.svc.cluster.local
port:
number: 80 - Ensure the TLS certificate used in
tls-secretis valid for the hostname or IP you are exposing (e.g.,pxb-ui.yourdomain.comor the external IP). The certificate's SAN must include the host you will use to access the UI. - Once the spec is applied, you can access the UI via
https://<hostname-or-external-IP>. Example:https://10.13.239.201.
Configure a dedicated hostname for Portworx Backup UI with Istio
When multiple apps share the same URL prefix / behind the same Istio ingress, set a unique hostname for PX-Backup so routing is done by host instead of path.
You can pass this via Helm: --set istio.hostName=<your.fqdn>.
OpenShift
-
Choose a unique FQDN under your OpenShift apps domain, e.g.:
pxbroute-istio-system.apps.<ocp-domain> -
Install/upgrade: Pass the hostname through Helm
helm install px-central portworx/px-central --version 2.10.0 \
--namespace px-backup --create-namespace \
--set istio.enabled=true \
--set istio.hostName=pxbroute-istio-system.apps.<ocp-domain>Sets the PX-Backup VirtualService
spec.hoststo your hostname (instead of*). -
Create (or patch) the OpenShift Route to the Istio ingress
The Route lives in
istio-systemand points at theistio-ingressgatewayService.oc create route edge pxb-route \
-n istio-system \
--service=istio-ingressgateway \
--port=http2 \
--hostname=pxbroute-istio-system.apps.<ocp-domain> -
Ensure the VirtualService uses the hostname.
# pxcentral-virtualservice.yaml
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
name: pxcentral-virtualservice
namespace: px-backup
spec:
gateways:
- pxcentral-gateway
hosts:
- pxbroute-istio-system.apps.<ocp-domain>
http:
- match:
- uri:
prefix: /
route:
- destination:
host: px-central-ui.px-backup.svc.cluster.local
port:
number: 80 -
Access the UI:
http://pxbroute-istio-system.apps.<ocp-domain>/
Other Kubernetes
-
Pick a unique FQDN, e.g.:
pxb.local.com -
Install/upgrade:
helm install px-central portworx/px-central --version 2.10.0 \
--namespace px-backup --create-namespace \
--set istio.enabled=true \
--set istio.hostName=pxb.local.com -
Point the name to your ingress:
- If you have a LoadBalancer: create a DNS A-record →
<LB_IP>. - If you're using NodePort for testing: add to
/etc/hostson your workstation:Then open<node-ip> pxb.local.comhttp(s)://pxb.local.com:<ingress-gateway-nodeport>/.
- If you have a LoadBalancer: create a DNS A-record →