Ingress Example with TLS Termination

This example builds on the HTTP and gRPC ingress examples, adding TLS termination.

Create TLS Certificate and Private Key

Self-signed CertificateCert Manager

For demonstration purposes we will use a TLS certificate signed by a made-up, self-signed certificate authority (CA). One easy way to do this is with minica. We want a certificate that will validate bookinfo.cilium.rocks and hipstershop.cilium.rocks, as these are the host names used in this ingress example.

  1. $ minica -domains '*.cilium.rocks'

On first run, minica generates a CA certificate and key (minica.pem and minica-key.pem). It also creates a directory called _.cilium.rocks containing a key and certificate file that we will use for the ingress service.

Create a Kubernetes secret with this demo key and certificate:

  1. $ kubectl create secret tls demo-cert --key=_.cilium.rocks/key.pem --cert=_.cilium.rocks/cert.pem

Let us install cert-manager:

  1. $ helm repo add jetstack https://charts.jetstack.io
  2. $ helm install cert-manager jetstack/cert-manager --version v1.7.1 --namespace cert-manager --set installCRDs=true --create-namespace

Now, create a CA Issuer:

  1. $ kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/v1.12/examples/kubernetes/servicemesh/ca-issuer.yaml

Deploy the Ingress

The Ingress configuration for this demo provides the same routing as those demos but with the addition of TLS termination.

Self-signed CertificateCert Manager

  1. $ kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/v1.12/examples/kubernetes/servicemesh/tls-ingress.yaml
  1. $ kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/v1.12/examples/kubernetes/servicemesh/tls-ingress.yaml

To tell cert-manager that this Ingress needs a certificate, annotate the Ingress with the name of the CA issuer we previously created:

  1. $ kubectl annotate ingress tls-ingress cert-manager.io/issuer=ca-issuer

This creates a Certificate object along with a Secret containing the TLS certificate.

  1. $ kubectl get certificate,secret demo-cert
  2. NAME                                    READY   SECRET      AGE
  3. certificate.cert-manager.io/demo-cert   True    demo-cert   33m
  4. NAME               TYPE                DATA   AGE
  5. secret/demo-cert   kubernetes.io/tls   3      33m

External IP address will be shown up in Ingress

  1. $ kubectl get ingress
  2. NAME          CLASS    HOSTS                                            ADDRESS        PORTS     AGE
  3. tls-ingress   cilium   hipstershop.cilium.rocks,bookinfo.cilium.rocks   35.195.24.75   80, 443   6m5s

In this Ingress configuration, the host names hipstershop.cilium.rocks and bookinfo.cilium.rocks are specified in the path routing rules. The client needs to specify which host it wants to access. This can be achieved by editing your local /etc/hosts` file. (You will almost certainly need to be superuser to edit this file.) Add entries using the IP address assigned to the ingress service, so your file looks something like this:

  1. $ sudo perl -ni -e 'print if !/\.cilium\.rocks$/d' /etc/hosts; sudo tee -a /etc/hosts \
  2.   <<<"$(kubectl get svc/cilium-ingress-tls-ingress -o=jsonpath='{.status.loadBalancer.ingress[0].ip}') bookinfo.cilium.rocks hipstershop.cilium.rocks"

Make HTTPS Requests

Self-signed CertificateCert Manager

By specifying the CA’s certificate on a curl request, you can say that you trust certificates signed by that CA.

  1. $ curl --cacert minica.pem -v https://bookinfo.cilium.rocks/details/1

If you prefer, instead of supplying the CA you can specify -k to tell the curl client not to validate the server’s certificate. Without either, you will get an error that the certificate was signed by an unknown authority.

Specifying -v on the curl request, you can see that the TLS handshake took place successfully.

Similarly you can specify the CA on a gRPC request like this:

  1. # Download demo.proto file if you have not done before
  2. $ curl -o demo.proto https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/master/pb/demo.proto
  3. $ grpcurl -proto ./demo.proto -cacert minica.pem hipstershop.cilium.rocks:443 hipstershop.ProductCatalogService/ListProducts
  1. $ curl https://bookinfo.cilium.rocks/details/1

Similarly you can specify the CA on a gRPC request like this:

  1. grpcurl -proto ./demo.proto -cacert minica.pem hipstershop.cilium.rocks:443 hipstershop.ProductCatalogService/ListProducts

Note

See the gRPC Ingress example if you don’t already have the demo.proto file downloaded.

You can also visit https://bookinfo.cilium.rocks in your browser. The browser might warn you that the certificate authority is unknown but if you proceed past this, you should see the bookstore application home page.

Note that requests will time out if you don’t specify https://.