github.com/cilium/cilium@v1.16.2/Documentation/network/servicemesh/ingress-to-gateway/tls-migration.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 https://docs.cilium.io 6 7 .. _gs_gateway_tls_migration: 8 9 ************* 10 TLS Migration 11 ************* 12 13 This migration example builds on the previous :ref:`gs_gateway_http_migration` and adds TLS 14 termination for two HTTP routes. For simplicity, this example omits the second route to ``productpage``. 15 16 17 Review Ingress Configuration 18 ============================ 19 20 You can find the example Ingress definition in ``tls-ingress.yaml``. 21 22 .. literalinclude:: ../../../../examples/kubernetes/servicemesh/tls-ingress.yaml 23 24 This example: 25 26 - listens for HTTPS traffic on port 443. 27 - terminates TLS for the ``hipstershop.cilium.rocks`` and ``bookinfo.cilium.rocks`` hostnames using the TLS certificate and key from the Secret *demo-cert*. 28 - routes HTTPS requests for the ``hipstershop.cilium.rocks`` hostname with the URI prefix ``/hipstershop.ProductCatalogService`` to the *productcatalogservice* Service. 29 - routes HTTPS requests for the ``hipstershop.cilium.rocks`` hostname with the URI prefix ``/hipstershop.CurrencyService`` to the *currencyservice* Service. 30 - routes HTTPS requests for the ``bookinfo.cilium.rocks`` hostname with the URI prefix ``/details`` to the *details* Service. 31 - routes HTTPS requests for the ``bookinfo.cilium.rocks`` hostname with any other prefix to the *productpage* Service. 32 33 34 Create Equivalent Gateway Configuration 35 ======================================= 36 37 To create the equivalent TLS termination configuration, consider the following: 38 39 - TLS Termination 40 41 .. tabs:: 42 43 .. group-tab:: Ingress 44 45 The Ingress resource supports TLS termination via the TLS section, where the TLS certificate and key are stored in a Kubernetes Secret. 46 47 .. code-block:: shell-session 48 49 apiVersion: networking.k8s.io/v1 50 kind: Ingress 51 metadata: 52 name: tls-ingress 53 namespace: default 54 [...] 55 spec: 56 tls: 57 - hosts: 58 - bookinfo.cilium.rocks 59 - hipstershop.cilium.rocks 60 secretName: demo-cert 61 62 .. group-tab:: Gateway API 63 64 In the Gateway API, TLS termination is a property of the Gateway listener, and similarly to the Ingress, a TLS certificate and key are also stored in a Secret. 65 66 .. code-block:: shell-session 67 68 apiVersion: gateway.networking.k8s.io/v1beta1 69 kind: Gateway 70 metadata: 71 name: tls-gateway 72 spec: 73 gatewayClassName: cilium 74 listeners: 75 - name: bookinfo.cilium.rocks 76 protocol: HTTPS 77 port: 443 78 hostname: "bookinfo.cilium.rocks" 79 tls: 80 certificateRefs: 81 - kind: Secret 82 name: demo-cert 83 - name: hipstershop.cilium.rocks 84 protocol: HTTPS 85 port: 443 86 hostname: "hipstershop.cilium.rocks" 87 tls: 88 certificateRefs: 89 - kind: Secret 90 name: demo-cert 91 92 - Host-header-based Routing Rules 93 94 .. tabs:: 95 96 .. group-tab:: Ingress 97 98 The Ingress API uses the term *host*. 99 With Ingress, each host has separate routing rules. 100 101 .. code-block:: shell-session 102 103 apiVersion: networking.k8s.io/v1 104 kind: Ingress 105 metadata: 106 name: tls-ingress 107 namespace: default 108 spec: 109 ingressClassName: cilium 110 rules: 111 - host: hipstershop.cilium.rocks 112 http: 113 paths: 114 - backend: 115 service: 116 name: productcatalogservice 117 port: 118 number: 3550 119 path: /hipstershop.ProductCatalogService 120 pathType: Prefix 121 122 .. group-tab:: Gateway API 123 124 The Gateway API uses the *hostname* term. 125 The host-header-based routing rules map to the hostnames of the HTTPRoute. 126 In the HTTPRoute, the routing rules apply to all hostnames. 127 128 The hostnames of an HTTPRoute must match the hostname of the Gateway listener. Otherwise, the listener will ignore the routing rules for the unmatched hostnames. 129 130 .. code-block:: shell-session 131 132 --- 133 apiVersion: gateway.networking.k8s.io/v1beta1 134 kind: HTTPRoute 135 metadata: 136 name: hipstershop-cilium-rocks 137 namespace: default 138 spec: 139 hostnames: 140 - hipstershop.cilium.rocks 141 parentRefs: 142 - name: cilium-gateway 143 rules: 144 - matches: 145 - path: 146 type: PathPrefix 147 value: /hipstershop.ProductCatalogService 148 backendRefs: 149 - name: productcatalogservice 150 port: 3550 151 152 Review Equivalent Gateway Configuration 153 ======================================= 154 155 You can find the equivalent final Gateway and HTTPRoute definition in ``tls-migration.yaml``. 156 157 .. literalinclude:: ../../../../examples/kubernetes/gateway/tls-migration.yaml 158 159 Deploy the resources and verify that HTTPS requests are routed successfully to the services. 160 For more information, consult the Gateway API :ref:`gs_gateway_https`.