github.com/projectcontour/contour@v1.28.2/site/content/docs/1.22/config/upstream-tls.md

github.com/projectcontour/contour@v1.28.2/site/content/docs/1.22/config/upstream-tls.md (about)

     1  # Upstream TLS
     2  
     3  A HTTPProxy can proxy to an upstream TLS backend by annotating the upstream Kubernetes Service or by specifying the upstream protocol in the HTTPProxy [services][2] field.
     4  Applying the `projectcontour.io/upstream-protocol.tls` annotation to a Service object tells Contour that TLS should be enabled and which port should be used for the TLS connection.
     5  The same configuration can be specified by setting the protocol name in the `spec.routes.services[].protocol` field on the HTTPProxy object.
     6  If both the annotation and the protocol field are specified, the protocol field takes precedence.
     7  By default, the upstream TLS server certificate will not be validated, but validation can be requested by setting the `spec.routes.services[].validation` field.
     8  This field has mandatory `caSecret` and `subjectName` fields, which specify the trusted root certificates with which to validate the server certificate and the expected server name.
     9  The `caSecret` can be a namespaced name of the form `<namespace>/<secret-name>`. If the CA secret's namespace is not the same namespace as the `HTTPProxy` resource, [TLS Certificate Delegation][4] must be used to allow the owner of the CA certificate secret to delegate, for the purposes of referencing the CA certificate in a different namespace, permission to Contour to read the Secret object from another namespace.
    10  
    11  _**Note:**
    12  If `spec.routes.services[].validation` is present, `spec.routes.services[].{name,port}` must point to a Service with a matching `projectcontour.io/upstream-protocol.tls` Service annotation._
    13  
    14  In the example below, the upstream service is named `secure-backend` and uses port `8443`:
    15  
    16  ```yaml
    17  # httpproxy-example.yaml
    18  apiVersion: projectcontour.io/v1
    19  kind: HTTPProxy
    20  metadata:
    21    name: example
    22  spec:
    23    virtualhost:
    24      fqdn: www.example.com
    25    routes:
    26    - services:
    27      - name: secure-backend
    28        port: 8443
    29        validation:
    30          caSecret: my-certificate-authority
    31          subjectName: backend.example.com
    32  ```
    33  
    34  ```yaml
    35  # service-secure-backend.yaml
    36  apiVersion: v1
    37  kind: Service
    38  metadata:
    39    name: secure-backend
    40    annotations:
    41      projectcontour.io/upstream-protocol.tls: "8443"
    42  spec:
    43    ports:
    44    - name: https
    45      port: 8443
    46    selector:
    47      app: secure-backend
    48  
    49  ```
    50  
    51  If the `validation` spec is defined on a service, but the secret which it references does not exist, Contour will reject the update and set the status of the HTTPProxy object accordingly.
    52  This helps prevent the case of proxying to an upstream where validation is requested, but not yet available.
    53  
    54  ```yaml
    55  Status:
    56    Current Status:  invalid
    57    Description:     route "/": service "tls-nginx": upstreamValidation requested but secret not found or misconfigured
    58  ```
    59  
    60  ## Upstream Validation
    61  
    62  When defining upstream services on a route, it's possible to configure the connection from Envoy to the backend endpoint to communicate over TLS.
    63  Two configuration items are required, a CA certificate and a `SubjectName` which are both used to verify the backend endpoint's identity.
    64  
    65  The CA certificate bundle for the backend service should be supplied in a Kubernetes Secret.
    66  The referenced Secret must be of type "Opaque" and have a data key named `ca.crt`.
    67  This data value must be a PEM-encoded certificate bundle.
    68  
    69  In addition to the CA certificate and the subject name, the Kubernetes service must also be annotated with a Contour specific annotation: `projectcontour.io/upstream-protocol.tls: <port>` ([see annotations section][1]).
    70  
    71  _**Note:** This annotation is applied to the Service not the Ingress or HTTPProxy object._
    72  
    73  ```yaml
    74  apiVersion: projectcontour.io/v1
    75  kind: HTTPProxy
    76  metadata:
    77    name: blog
    78    namespace: marketing
    79  spec:
    80    routes:
    81      - services:
    82          - name: s2
    83            port: 80
    84            validation:
    85              caSecret: foo-ca-cert
    86              subjectName: foo.marketing
    87  ```
    88  
    89  ## Envoy Client Certificate
    90  
    91  Contour can be configured with a `namespace/name` in the [Contour configuration file][3] of a Kubernetes secret which Envoy uses as a client certificate when upstream TLS is configured for the backend.
    92  Envoy will send the certificate during TLS handshake when the backend applications request the client to present its certificate.
    93  Backend applications can validate the certificate to ensure that the connection is coming from Envoy.
    94  
    95  [1]: annotations.md
    96  [2]: api/#projectcontour.io/v1.Service
    97  [3]: ../configuration#fallback-certificate
    98  [4]: tls-delegation.md