Cilium Gateway API – TLS Passthrough

Transcript

In this new video, we’re going to explore a new Cilium 1.14 feature called TLS Route or TLS path through, which is a feature that is part of the Gateway API implementation on Cilium. Now, Gateway API, if you watch any of the previous videos, it’s a way to route traffic into your Kubernetes cluster, and it’s a long-term replacement for the Ingress resource. And if you’ve looked at some of the previous videos, we’ve covered some use cases where HTTPS traffic would come in and to the Gateway, and depending on the HTTP path, for example, we would route the traffic towards different services and backends. And this was using something called TLS termination, where TLS traffic would, you know, terminate, aggregate away, and then it will be unencrypted from the Gateway all the way to sit back in, and again, this works great. It’s quite a popular solution, and all your certificates are managed at the Gateway, and again, this is fine. Obviously, you have unencrypted traffic within your cluster, which may or may not be acceptable, right? You could apply maybe something like WireGuard or Transparent Encryption with Cilium to encrypt the traffic, or you can use this new feature, which is called TLS Passthrough, and this is going to enable us to have end-to-end encryption from your client all the way to your pod, and in these scenarios, the Gateway is just a way to, you know, it doesn’t really change the TLS stream and it’s just using the TLS hostname, the SNI, to route traffic to the correct backend. So again, it goes from, in the previous mode, you had HTTPS traffic encrypted all the way to the Gateway, and then it was unencrypted, and in this new model, well, you can again choose depending on your requirement. Your traffic is encrypted all the way through from your client, external client, all the way to your backend. Now let’s have a look at the demo. I’m actually going to be using a new lab that we’ve been putting together for this demo – let’s get started.

So in this demo, we’re going to actually start by creating certificates and key required to build this kind of end-to-end encrypted connectivity, and we’re going to create a web server listening on 443 for HTTPS traffic, and we’re going to verify that my external client can access my backend over HTTPS. We’re going to see the TLS Exchange, and let’s get started. So first, we’re actually going to be using OpenSSL to create our certificates, right? So you can see I’ve got my CRT created, and then we are first creating for the domain, so we’re using the cilium.rocks domain. And again, I’m using OpenSSL to create also the certificate and the private key for nginx.cilium.rocks using an nginx server for my backend. And finally, we’re going to again create a Kubernetes TLS Secret, which is going to be based on this key and the certificate, and that’s good. We’re going to refer to this when we create our web server. Cool. So we’ve got our files, so let’s now go and create our demo app. So we’re going to get again, as I mentioned, we’re going to create an nginx server. As you can see, it’s listening on Port 443. I have created a really basic index file, which is going to be your welcome page for the web server, which is welcome to Cilium Rocks. And then we’re using some of the certificates that we’ve just created. So, the nginx configuration is stored in a config map, so we’re going to go and create that config map, which is based on this nginx configuration. And if we have a quick look at, again, at the configuration of the nginx web server, we’ve got a service that is fronting it again on 443, and it is a deployment of a single replica, which is again based on the nginx image, and we are mounting some files the certificates, the configuration, the index file for our web server. So let’s go and apply it.

There you go. So my nginx HTTPS web server is ready, and now we can deploy the Gateway and deploy the TLS route, which again is a type of resource that you get with the Gateway API, and it’s now supported with Cilium 1.14. So let’s have a quick look at the configuration again. You know, I’m assuming you’ve familiar with the Gateway API, but you can have a quick recap, but Gateway API again, it’s an evolution of Ingress, and the way it’s configured is by using Gateway resource and also different types of resources. So let’s have a quick look. So we’re deploying a Gateway of the class Cilium, right? It’s a Cilium Gateway API, and the Gateway is listening on Port 443 for TLS traffic, and we are in mode Passthrough, and again, we are listening for this specific hostname, and we just route traffic based on that hostname. And again, if you’re familiar with some of the other videos we’ve done, this wasn’t there. This is again something that some of the new functionality in Cilium 1.14.

Okay, and now let’s have a quick look at the TLS route.

And I think that’s pretty simple, what we’ve just done is we have attached that route to the Gateway I was just showing you, and again, it’s based on the hostname that you know, we’re going to route traffic to, and we are sending that traffic to our nginx backend service.

So let’s go ahead.

Okay, so again, in the lab, you’ll be able to see it. You know, we’ll provide some more explanation, but essentially, I’m just repeating that the traffic is encrypted all the way through from the client to the Gateway and then from the Gateway to the Pod.

Let’s have a quick look first, yes, the Gateway has been deployed. It’s picked up an external IP. I’m just going to save that IP as an environment variable.
Let’s have a quick look at the TLS route. We’re just going to make sure that it’s been attached successfully to the Gateway, right? So again, when you create HTTP routes or TLS routes in with the Gateway API, you need to make sure it’s been successfully attached to a Gateway, and as you can see, I’m just checking the status, and it’s been accepted by the Gateway, it’s been attached, and it’s been attached to the Cilium TLS Gateway, so everything’s working as we expect. And now we’re just going to make a request over HTTPS, and we’re just going to verify that we’ve had end-to-end encryption.

And it’s been successful. So what we’ve done just to recap quickly, we’re doing a curl command to my nginx server. You can see the hostname. And we are using our certificates, and so we are resolving that name to our Gateway IP, which is the one I saved earlier, and connectivity is successful. You can see I’ve connected to my web server cilium.rocks. What you can also see is a full TLS handshake and the TLS negotiation. You can see, you know, 1.3.1.2, you can see that the SSL certificate has been verified successfully. And really, that’s it for this demo. This is just to show you a new Gateway API functionality that is available with Cilium 114, where you can have TLS passthrough through the Gateway, and the Gateway API is just there to route traffic based on the SNI. So that’s it. Thanks very much for watching.

Thank you.