github.com/cilium/cilium@v1.16.2/Documentation/network/servicemesh/ingress-to-gateway/tls-migration.rst (about)

     1  .. only:: not (epub or latex or html)
     2  
     3      WARNING: You are looking at unreleased Cilium documentation.
     4      Please use the official rendered version released here:
     5      https://docs.cilium.io
     6  
     7  .. _gs_gateway_tls_migration:
     8  
     9  *************
    10  TLS Migration
    11  *************
    12  
    13  This migration example builds on the previous :ref:`gs_gateway_http_migration` and adds TLS
    14  termination for two HTTP routes. For simplicity, this example omits the second route to ``productpage``.
    15  
    16  
    17  Review Ingress Configuration
    18  ============================
    19  
    20  You can find the example Ingress definition in ``tls-ingress.yaml``.
    21  
    22  .. literalinclude:: ../../../../examples/kubernetes/servicemesh/tls-ingress.yaml
    23  
    24  This example:
    25  
    26  - listens for HTTPS traffic on port 443.
    27  - terminates TLS for the ``hipstershop.cilium.rocks`` and ``bookinfo.cilium.rocks`` hostnames using the TLS certificate and key from the Secret *demo-cert*.
    28  - routes HTTPS requests for the ``hipstershop.cilium.rocks`` hostname with the URI prefix ``/hipstershop.ProductCatalogService`` to the *productcatalogservice* Service.
    29  - routes HTTPS requests for the ``hipstershop.cilium.rocks`` hostname with the URI prefix ``/hipstershop.CurrencyService`` to the *currencyservice* Service.
    30  - routes HTTPS requests for the ``bookinfo.cilium.rocks`` hostname with the URI prefix ``/details`` to the *details* Service.
    31  - routes HTTPS requests for the ``bookinfo.cilium.rocks`` hostname with any other prefix to the *productpage* Service.
    32  
    33  
    34  Create Equivalent Gateway Configuration
    35  =======================================
    36  
    37  To create the equivalent TLS termination configuration, consider the following:
    38  
    39  - TLS Termination
    40  
    41  .. tabs::
    42  
    43      .. group-tab:: Ingress
    44          
    45          The Ingress resource supports TLS termination via the TLS section, where the TLS certificate and key are stored in a Kubernetes Secret.
    46  
    47          .. code-block:: shell-session
    48  
    49              apiVersion: networking.k8s.io/v1
    50              kind: Ingress
    51              metadata:
    52                name: tls-ingress
    53                namespace: default
    54              [...]
    55              spec:
    56                tls:
    57                - hosts:
    58                  - bookinfo.cilium.rocks
    59                  - hipstershop.cilium.rocks
    60                  secretName: demo-cert
    61  
    62      .. group-tab:: Gateway API
    63  
    64          In the Gateway API, TLS termination is a property of the Gateway listener, and similarly to the Ingress, a TLS certificate and key are also stored in a Secret.
    65  
    66          .. code-block:: shell-session
    67  
    68              apiVersion: gateway.networking.k8s.io/v1beta1
    69              kind: Gateway
    70              metadata:
    71                name: tls-gateway
    72              spec:
    73                gatewayClassName: cilium
    74                listeners:
    75                - name: bookinfo.cilium.rocks
    76                  protocol: HTTPS
    77                  port: 443
    78                  hostname: "bookinfo.cilium.rocks"
    79                  tls:
    80                    certificateRefs:
    81                    - kind: Secret
    82                      name: demo-cert
    83                - name: hipstershop.cilium.rocks
    84                  protocol: HTTPS
    85                  port: 443
    86                  hostname: "hipstershop.cilium.rocks"
    87                  tls:
    88                    certificateRefs:
    89                    - kind: Secret
    90                      name: demo-cert
    91  
    92  - Host-header-based Routing Rules
    93  
    94  .. tabs::
    95  
    96      .. group-tab:: Ingress
    97          
    98          The Ingress API uses the term *host*.
    99          With Ingress, each host has separate routing rules.
   100  
   101          .. code-block:: shell-session
   102  
   103              apiVersion: networking.k8s.io/v1
   104              kind: Ingress
   105              metadata:
   106                name: tls-ingress
   107                namespace: default
   108              spec:
   109                ingressClassName: cilium
   110              rules:
   111              - host: hipstershop.cilium.rocks
   112                  http:
   113                  paths:
   114                  - backend:
   115                      service:
   116                          name: productcatalogservice
   117                          port:
   118                          number: 3550
   119                      path: /hipstershop.ProductCatalogService
   120                      pathType: Prefix
   121  
   122      .. group-tab:: Gateway API
   123  
   124          The Gateway API uses the *hostname* term.
   125          The host-header-based routing rules map to the hostnames of the HTTPRoute. 
   126          In the HTTPRoute, the routing rules apply to all hostnames.
   127  
   128          The hostnames of an HTTPRoute must match the hostname of the Gateway listener. Otherwise, the listener will ignore the routing rules for the unmatched hostnames.
   129  
   130          .. code-block:: shell-session
   131  
   132              ---
   133              apiVersion: gateway.networking.k8s.io/v1beta1
   134              kind: HTTPRoute
   135              metadata:
   136                name: hipstershop-cilium-rocks
   137                namespace: default
   138              spec:
   139                hostnames:
   140                - hipstershop.cilium.rocks
   141                parentRefs:
   142                - name: cilium-gateway
   143                rules:
   144                - matches:
   145                  - path:
   146                      type: PathPrefix
   147                      value: /hipstershop.ProductCatalogService
   148                  backendRefs:
   149                  - name: productcatalogservice
   150                    port: 3550
   151  
   152  Review Equivalent Gateway Configuration
   153  =======================================
   154  
   155  You can find the equivalent final Gateway and HTTPRoute definition in ``tls-migration.yaml``.
   156  
   157  .. literalinclude:: ../../../../examples/kubernetes/gateway/tls-migration.yaml
   158  
   159  Deploy the resources and verify that HTTPS requests are routed successfully to the services.
   160  For more information, consult the Gateway API :ref:`gs_gateway_https`.