For the complete documentation index, see llms.txt. Markdown versions of all docs pages are available by appending .md to any docs URL.
TLS termination for TLSRoutes
Set up a TLS listener on the Gateway that terminates incoming TLS traffic. Unlike TLS passthrough, the Gateway decrypts the traffic and forwards plain TCP traffic to the backend service. The backend service does not need to handle TLS.
Before you begin
-
Set up kgateway by following the Quick start or Installation guides.
-
Make sure that you have the OpenSSL version of
openssl, not LibreSSL. Theopensslversion must be at least 1.1.-
Check the
opensslversion that is installed. If you see LibreSSL in the output, continue to the next step.openssl version -
Install the OpenSSL version (not LibreSSL). For example, you might use Homebrew.
brew install openssl -
Review the output of the OpenSSL installation for the path of the binary file. You can choose to export the binary to your path, or call the entire path whenever the following steps use an openssl command.
- For example, openssl might be installed along the following path:
/usr/local/opt/openssl@3/bin/ - To run commands, you can append the path so that your terminal uses this installed version of OpenSSL, and not the default LibreSSL.
/usr/local/opt/openssl@3/bin/openssl req -new -newkey rsa:4096 -x509 -sha256 -days 3650...
- For example, openssl might be installed along the following path:
-
- Decide whether to set up a listener inline on the Gateway resource or as a separate ListenerSet resource. For more information, see the Listener overview.
Create a TLS certificate
-
Create a directory to store your TLS credentials in.
mkdir example_certs -
Create a self-signed root certificate.
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 \ -subj '/O=any domain/CN=*' \ -keyout example_certs/root.key -out example_certs/root.crt -
Create an OpenSSL configuration for the
app.example.comhostname.cat <<'EOF' > example_certs/gateway.cnf [ req ] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = dn req_extensions = req_ext [ dn ] CN = *.example.com O = any domain [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = *.example.com DNS.2 = example.com EOF -
Create and sign the gateway certificate.
openssl req -new -nodes \ -keyout example_certs/gateway.key \ -out example_certs/gateway.csr \ -config example_certs/gateway.cnf openssl x509 -req -sha256 -days 365 \ -CA example_certs/root.crt -CAkey example_certs/root.key -set_serial 0 \ -in example_certs/gateway.csr -out example_certs/gateway.crt \ -extfile example_certs/gateway.cnf -extensions req_ext -
Create a Kubernetes secret to store the gateway TLS certificate.
kubectl create secret tls tls-terminate \ -n kgateway-system \ --key example_certs/gateway.key \ --cert example_certs/gateway.crt
Set up TLS termination
Set up a TLS listener on the Gateway with tls.mode: Terminate. The Gateway decrypts incoming TLS traffic using the certificate you created and forwards the plain traffic to the backend service.
-
Create a Gateway with a TLS termination listener. Set the
gatewayClassNametokgateway.kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: tls-terminate namespace: kgateway-system labels: example: tls-terminate spec: gatewayClassName: kgateway listeners: - name: tls protocol: TLS port: 8443 hostname: app.example.com tls: mode: Terminate certificateRefs: - name: tls-terminate kind: Secret allowedRoutes: namespaces: from: All EOFReview the following table to understand this configuration.
Setting Description spec.gatewayClassNameThe name of the Kubernetes GatewayClass that you want to use to configure the Gateway. When you set up kgateway, a default GatewayClass is set up for you. Set the gatewayClassNametokgateway.spec.listenersConfigure the listeners for this Gateway. In this example, you configure a TLS listener that terminates incoming TLS traffic for the app.example.comhostname on port 8443. The Gateway can serve TLS routes from any namespace.spec.listeners.tls.modeThe TLS mode for incoming requests. In this example, TLS requests are terminated at the Gateway and the decrypted traffic is forwarded to the backend service. spec.listeners.tls.certificateRefsThe Kubernetes secret that holds the TLS certificate and key. The Gateway uses these to terminate the TLS connection. -
Check the status of the Gateway to make sure that your configuration is accepted.
kubectl get gateway tls-terminate -n kgateway-system -o yaml
Create a TLSRoute
Create a TLSRoute that routes SNI traffic for app.example.com to the httpbin app.
kubectl apply -f- <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: TLSRoute
metadata:
name: tls-terminate-route
namespace: httpbin
labels:
example: tls-terminate
spec:
hostnames:
- app.example.com
parentRefs:
- name: tls-terminate
namespace: kgateway-system
sectionName: tls
rules:
- backendRefs:
- name: httpbin
port: 8000
EOFVerify TLS termination traffic
-
Get the external address of the gateway and save it in an environment variable.
export INGRESS_GW_ADDRESS=$(kubectl get svc -n kgateway-system tls-terminate -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}") echo $INGRESS_GW_ADDRESS -
Send a request to the
app.example.comdomain and verify that you get back a 200 HTTP response code. The TLS connection is terminated at the Gateway and the plain traffic is forwarded to the httpbin app.-
Load balancer IP:
curl -vik --resolve "app.example.com:8443:${INGRESS_GW_ADDRESS}" \ --cacert example_certs/root.crt \ https://app.example.com:8443/status/200 -
Load balancer hostname:
curl -vik --resolve "app.example.com:8443:$(dig +short $INGRESS_GW_ADDRESS | head -n1)" \ --cacert example_certs/root.crt \ https://app.example.com:8443/status/200
Example output:
* Request completely sent off < HTTP/1.1 200 OK HTTP/1.1 200 OK ... -
Cleanup
You can remove the resources that you created in this guide.kubectl delete -A gateways,tlsroutes,secret -l example=tls-terminate
rm -rf example_certs