github.com/cilium/cilium@v1.16.2/Documentation/network/servicemesh/gateway-api/https.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 https://docs.cilium.io 6 7 .. _gs_gateway_https: 8 9 ************* 10 HTTPS Example 11 ************* 12 13 This example builds on the previous :ref:`gs_gateway_http` and add TLS 14 termination for two HTTP routes. For simplicity, the second route to ``productpage`` 15 is omitted. 16 17 .. literalinclude:: ../../../../examples/kubernetes/gateway/basic-https.yaml 18 19 .. include:: ../tls-cert.rst 20 21 Deploy the Gateway and HTTPRoute 22 ================================ 23 24 The Gateway configuration for this demo provides the similar routing to the 25 ``details`` and ``productpage`` services. 26 27 28 .. tabs:: 29 30 .. group-tab:: Self-signed Certificate 31 32 .. parsed-literal:: 33 34 $ kubectl apply -f \ |SCM_WEB|\/examples/kubernetes/gateway/basic-https.yaml 35 36 .. group-tab:: cert-manager 37 38 .. parsed-literal:: 39 40 $ kubectl apply -f \ |SCM_WEB|\/examples/kubernetes/gateway/basic-https.yaml 41 42 To tell cert-manager that this Ingress needs a certificate, annotate the 43 Gateway with the name of the CA issuer we previously created: 44 45 .. code-block:: shell-session 46 47 $ kubectl annotate gateway tls-gateway cert-manager.io/issuer=ca-issuer 48 49 This creates a Certificate object along with a Secret containing the TLS 50 certificate. 51 52 .. code-block:: shell-session 53 54 $ kubectl get certificate,secret demo-cert 55 NAME READY SECRET AGE 56 certificate.cert-manager.io/demo-cert True demo-cert 29s 57 NAME TYPE DATA AGE 58 secret/demo-cert kubernetes.io/tls 3 29s 59 60 External IP address will be shown up in Gateway. Also, the host names should be shown up in 61 related HTTPRoutes. 62 63 .. code-block:: shell-session 64 65 $ kubectl get gateway tls-gateway 66 NAME CLASS ADDRESS PROGRAMMED AGE 67 tls-gateway cilium 10.104.247.23 True 29s 68 69 $ kubectl get httproutes https-app-route-1 https-app-route-2 70 NAME HOSTNAMES AGE 71 https-app-route-1 ["bookinfo.cilium.rocks"] 29s 72 https-app-route-2 ["hipstershop.cilium.rocks"] 29s 73 74 Update ``/etc/hosts`` with the host names and IP address of the Gateway: 75 76 .. code-block:: shell-session 77 78 $ sudo perl -ni -e 'print if !/\.cilium\.rocks$/d' /etc/hosts; sudo tee -a /etc/hosts \ 79 <<<"$(kubectl get gateway tls-gateway -o jsonpath='{.status.addresses[0].value}') bookinfo.cilium.rocks hipstershop.cilium.rocks" 80 81 Make HTTPS Requests 82 =================== 83 84 .. tabs:: 85 86 .. group-tab:: Self-signed Certificate 87 88 By specifying the CA's certificate on a curl request, you can say that you trust certificates 89 signed by that CA. 90 91 .. code-block:: shell-session 92 93 $ curl --cacert minica.pem -v https://bookinfo.cilium.rocks/details/1 94 $ curl --cacert minica.pem -v https://hipstershop.cilium.rocks/ 95 96 If you prefer, instead of supplying the CA you can specify ``-k`` to tell the 97 curl client not to validate the server's certificate. Without either, you 98 will get an error that the certificate was signed by an unknown authority. 99 100 Specifying -v on the curl request, you can see that the TLS handshake took 101 place successfully. 102 103 .. group-tab:: cert-manager 104 105 .. code-block:: shell-session 106 107 $ curl https://bookinfo.cilium.rocks/details/1 108 $ curl https://hipstershop.cilium.rocks/ 109