github.com/cilium/cilium@v1.16.2/Documentation/network/servicemesh/tls-termination.rst

github.com/cilium/cilium@v1.16.2/Documentation/network/servicemesh/tls-termination.rst (about)

     1  .. only:: not (epub or latex or html)
     2  
     3      WARNING: You are looking at unreleased Cilium documentation.
     4      Please use the official rendered version released here:
     5      https://docs.cilium.io
     6  
     7  .. _gs_ingress_tls:
     8  
     9  ************************************
    10  Ingress Example with TLS Termination
    11  ************************************
    12  
    13  This example builds on the HTTP and gRPC ingress examples, adding TLS
    14  termination.
    15  
    16  .. literalinclude:: ../../../examples/kubernetes/servicemesh/tls-ingress.yaml
    17  
    18  .. include:: tls-cert.rst
    19  
    20  Deploy the Ingress
    21  ==================
    22  
    23  The Ingress configuration for this demo provides the same routing as those demos
    24  but with the addition of TLS termination.
    25  
    26  
    27  .. tabs::
    28  
    29      .. group-tab:: Self-signed Certificate
    30  
    31          .. parsed-literal::
    32  
    33              $ kubectl apply -f \ |SCM_WEB|\/examples/kubernetes/servicemesh/tls-ingress.yaml
    34  
    35      .. group-tab:: cert-manager
    36  
    37          .. parsed-literal::
    38  
    39              $ kubectl apply -f \ |SCM_WEB|\/examples/kubernetes/servicemesh/tls-ingress.yaml
    40  
    41          To tell cert-manager that this Ingress needs a certificate, annotate the
    42          Ingress with the name of the CA issuer we previously created:
    43  
    44          .. code-block:: shell-session
    45  
    46              $ kubectl annotate ingress tls-ingress cert-manager.io/issuer=ca-issuer
    47  
    48          This creates a Certificate object along with a Secret containing the TLS
    49          certificate.
    50  
    51          .. code-block:: shell-session
    52  
    53              $ kubectl get certificate,secret demo-cert
    54              NAME                                    READY   SECRET      AGE
    55              certificate.cert-manager.io/demo-cert   True    demo-cert   33m
    56              NAME               TYPE                DATA   AGE
    57              secret/demo-cert   kubernetes.io/tls   3      33m
    58  
    59  External IP address will be shown up in Ingress
    60  
    61  .. code-block:: shell-session
    62  
    63      $ kubectl get ingress
    64      NAME          CLASS    HOSTS                                            ADDRESS        PORTS     AGE
    65      tls-ingress   cilium   hipstershop.cilium.rocks,bookinfo.cilium.rocks   35.195.24.75   80, 443   6m5s
    66  
    67  In this Ingress configuration, the host names ``hipstershop.cilium.rocks`` and
    68  ``bookinfo.cilium.rocks`` are specified in the path routing rules. The client
    69  needs to specify which host it wants to access. This can be achieved by
    70  editing your local ``/etc/hosts``` file. (You will almost certainly need to be
    71  superuser to edit this file.) Add entries using the IP address
    72  assigned to the ingress service, so your file looks something like this:
    73  
    74  .. code-block:: shell-session
    75  
    76      $ sudo perl -ni -e 'print if !/\.cilium\.rocks$/d' /etc/hosts; sudo tee -a /etc/hosts \
    77        <<<"$(kubectl get ing tls-ingress -o=jsonpath='{.status.loadBalancer.ingress[0].ip}') bookinfo.cilium.rocks hipstershop.cilium.rocks"
    78  
    79  
    80  Make HTTPS Requests
    81  ===================
    82  
    83  
    84  .. tabs::
    85  
    86      .. group-tab:: Self-signed Certificate
    87  
    88          By specifying the CA's certificate on a curl request, you can say that you trust certificates
    89          signed by that CA.
    90  
    91          .. code-block:: shell-session
    92  
    93              $ curl --cacert minica.pem -v https://bookinfo.cilium.rocks/details/1
    94  
    95          If you prefer, instead of supplying the CA you can specify ``-k`` to tell the
    96          curl client not to validate the server's certificate. Without either, you
    97          will get an error that the certificate was signed by an unknown authority.
    98  
    99          Specifying -v on the curl request, you can see that the TLS handshake took
   100          place successfully.
   101  
   102          Similarly you can specify the CA on a gRPC request like this:
   103  
   104          .. code-block:: shell-session
   105  
   106              # Download demo.proto file if you have not done before
   107              $ curl -o demo.proto https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/main/protos/demo.proto
   108              $ grpcurl -proto ./demo.proto -cacert minica.pem hipstershop.cilium.rocks:443 hipstershop.ProductCatalogService/ListProducts
   109  
   110      .. group-tab:: cert-manager
   111  
   112          .. code-block:: shell-session
   113  
   114              $ curl https://bookinfo.cilium.rocks/details/1
   115  
   116          Similarly you can specify the CA on a gRPC request like this:
   117  
   118          .. code-block:: shell-session
   119  
   120              grpcurl -proto ./demo.proto -cacert minica.pem hipstershop.cilium.rocks:443 hipstershop.ProductCatalogService/ListProducts
   121  
   122  .. Note::
   123  
   124      See the gRPC Ingress example if you don't already have the ``demo.proto`` file downloaded.
   125  
   126  You can also visit https://bookinfo.cilium.rocks in your browser. The browser
   127  might warn you that the certificate authority is unknown but if you proceed past
   128  this, you should see the bookstore application home page.
   129  
   130  Note that requests will time out if you don't specify ``https://``.