Nico Vibert is a Senior Technical Marketing Engineer at Isovalent – the company behind the open-source cloud native solution Cilium. Nico has worked in many different roles – operations and support, design and architecture, technical pre-sales – at companies such as HashiCorp, VMware and Cisco. Nico’s focus is primarily on network, cloud and automation and he loves creating content and writing books. Nico regularly speaks at events, whether on a large scale such as VMworld, Cisco Live or at smaller forums such as VMware and AWS User Groups or virtual events such as HashiCorp HashiTalks. Outside of Isovalent, Nico’s passionate about intentional diversity & inclusion initiatives and is Chief DEI Officer at the Open Technology organization OpenUK.
Cilium Gateway API – TLS Termination
[06:39] In this video, Senior Technical Marketing Engineer Nico Vibert walks you through how Cilium Gateway API can route HTTPS traffic into your cluster.
In this demo, we’re going to be testing TLS termination with a Cilium Gateway API. In the previous demos, what we ’ve done is look at the Cilium Gateway API with HTTP Routes directing traffic into your Kubernetes cluster, right? Using simple non-encrypted HTTP, and using the Gateway API in the HTTP route, we could route traffic to different services depending on the different characteristics, like headers or the path. Now, obviously, it’s not exactly the most secure protocol, so we can also use HTTPS and TLS termination on the Gateway API to route traffic.
We’re going to be using the bookinfo application, which is typically used with Istio and developed by the people behind Istio. It’s a microservices-based application. You’ve got Node.js, Java, Python, and Ruby set of deployments and microservices, and we are going to be using the Gateway API to access the details service.
And let’s get started. So first, we’re going to do HTTPS, so we need a certificate, and for this, we’re going to be using mkcert, and we’re going to be creating a certificate that will validate bookinginfo.cillium.rocks.
And,,we just created a local CA, so we’ve created a certificate and a key, and we’re going to go and store them as a Kubernetes TLS Secret.
Yeah, there it is. Now that we’ve got our TLS secret, let’s just review the Cilium Gateway configuration.
First, if you look at the Manifest, you’ve git a Gateway resource. Here’s a name, there’s a type of Gateway, which is a Cilium one, and we are listening on HTTPS, and we’re listening for a couple of different hostnames on the port 443, and we are referring to the Kubernetes secret we’ve just created. So we are just binding that TLS secret to this hostname, and we’ve got a couple of HTTP routes. One is for hipstershop.cilium.rocks, which we’re actually not going to be using for this quick demo. We’re just going to be using the bookinfo.cilium.rocks. And what will happen is if the path includes the /details in the URL, we’ll send this to the backend reference, which is a Service details over port 9080. If we could look at the service, you can see we’ve got Service details which is just listening over port 1980. We are now ready to deploy this Gateway.
Once we deploy this getaway, what was automatically created is a Kubernetes service of the type LoadBalancer, and you can see that an IP external IP has been automatically allocated, and this can be done with any kind of Load Balancer IP Address Management platform that can be MetalLb or Cilium can now do it. It’s a new feature that came in with Cilium 1.13..
We’re just going to go and save that IP, and before we start making, you know, try to access this service over HTTPS, what we need to make sure is we need to edit the hostname and make sure that bokinfo.cilium.rocks refers to this particular IP. Just added this one here we go.
And the last thing we need to do is to really install the certificate. Here we go. So that we are now ready to make curl requests, and it’s successful. And you can see that I’ve made that request which is highlighted here. It went to the Gateway API that was validated, the certificate was validated, and it was forwarded to the details service. And what it gives me in return is the details of a book, because that’s a bookstore application and it gives me some details about a sample book from William Shakespeare.
And that’s it really. It’s just a simple feature that is included in the Cilium Gateway API that lets you route HTTPS traffic into your Kubernetes cluster. Thanks for watching! Bye bye