Cilium Gateway API – TLS Termination

Transcript

In this demo, we’re going to be testing TLS termination with a Cilium Gateway API. In the previous demos, what we’ve done is look at the Cilium Gateway API with HTTP Routes directing traffic into your Kubernetes cluster, right? Using simple non-encrypted HTTP, and using the Gateway API in the HTTP route, we could route traffic to different services depending on the different characteristics, like headers or the path. Now, obviously, it’s not exactly the most secure protocol, so we can also use HTTPS and TLS termination on the Gateway API to route traffic.

We’re going to be using the bookinfo application, which is typically used with Istio and developed by the people behind Istio. It’s a microservices-based application. You’ve got Node.js, Java, Python, and Ruby set of deployments and microservices, and we are going to be using the Gateway API to access the details service.

And let’s get started. So first, we’re going to do HTTPS, so we need a certificate, and for this, we’re going to be using mkcert, and we’re going to be creating a certificate that will validate bookinginfo.cillium.rocks.

And,,we just created a local CA, so we’ve created a certificate and a key, and we’re going to go and store them as a Kubernetes TLS Secret.

Yeah, there it is. Now that we’ve got our TLS secret, let’s just review the Cilium Gateway configuration.

First, if you look at the Manifest, you’ve git a Gateway resource. Here’s a name, there’s a type of Gateway, which is a Cilium one, and we are listening on HTTPS, and we’re listening for a couple of different hostnames on the port 443, and we are referring to the Kubernetes secret we’ve just created. So we are just binding that TLS secret to this hostname, and we’ve got a couple of HTTP routes. One is for hipstershop.cilium.rocks, which we’re actually not going to be using for this quick demo. We’re just going to be using the bookinfo.cilium.rocks. And what will happen is if the path includes the /details in the URL, we’ll send this to the backend reference, which is a Service details over port 9080. If we could look at the service, you can see we’ve got Service details which is just listening over port 1980. We are now ready to deploy this Gateway.

Once we deploy this getaway, what was automatically created is a Kubernetes service of the type LoadBalancer, and you can see that an IP external IP has been automatically allocated, and this can be done with any kind of Load Balancer IP Address Management platform that can be MetalLb or Cilium can now do it. It’s a new feature that came in with Cilium 1.13..

We’re just going to go and save that IP, and before we start making, you know, try to access this service over HTTPS, what we need to make sure is we need to edit the hostname and make sure that bokinfo.cilium.rocks refers to this particular IP. Just added this one here we go.

And the last thing we need to do is to really install the certificate. Here we go. So that we are now ready to make curl requests, and it’s successful. And you can see that I’ve made that request which is highlighted here. It went to the Gateway API that was validated, the certificate was validated, and it was forwarded to the details service. And what it gives me in return is the details of a book, because that’s a bookstore application and it gives me some details about a sample book from William Shakespeare.

And that’s it really. It’s just a simple feature that is included in the Cilium Gateway API that lets you route HTTPS traffic into your Kubernetes cluster. Thanks for watching! Bye bye