Ingress Gateway without TLS Termination

The Securing Gateways with HTTPS task describes how to configure HTTPSingress access to an HTTP service. This example describes how to configure HTTPS ingress access to an HTTPS service,i.e., configure an ingress gateway to perform SNI passthrough, instead of TLS termination on incoming requests.

The example HTTPS service used for this task is a simple NGINX server.In the following steps you first deploy the NGINX service in your Kubernetes cluster.Then you configure a gateway to provide ingress access to the service via host nginx.example.com.

Generate client and server certificates and keys

  1. $ git clone https://github.com/nicholasjackson/mtls-go-example
  • Change directory to the cloned repository:
  1. $ pushd mtls-go-example
  • Generate the certificates for nginx.example.com.Use any password with the following command:
  1. $ ./generate.sh nginx.example.com <password>

When prompted, select y for all the questions.

  • Move the certificates into the nginx.example.com directory:
  1. $ mkdir ../nginx.example.com && mv 1_root 2_intermediate 3_application 4_client ../nginx.example.com
  • Return to the root directory:
  1. $ popd

Deploy an NGINX server

  • Create a Kubernetes Secret to hold the server’scertificate.
  1. $ kubectl create secret tls nginx-server-certs --key nginx.example.com/3_application/private/nginx.example.com.key.pem --cert nginx.example.com/3_application/certs/nginx.example.com.cert.pem
  • Create a configuration file for the NGINX server:
  1. $ cat <<EOF > ./nginx.conf
  2. events {
  3. }
  4. http {
  5. log_format main '$remote_addr - $remote_user [$time_local] $status '
  6. '"$request" $body_bytes_sent "$http_referer" '
  7. '"$http_user_agent" "$http_x_forwarded_for"';
  8. access_log /var/log/nginx/access.log main;
  9. error_log /var/log/nginx/error.log;
  10. server {
  11. listen 443 ssl;
  12. root /usr/share/nginx/html;
  13. index index.html;
  14. server_name nginx.example.com;
  15. ssl_certificate /etc/nginx-server-certs/tls.crt;
  16. ssl_certificate_key /etc/nginx-server-certs/tls.key;
  17. }
  18. }
  19. EOF
  • Create a Kubernetes ConfigMapto hold the configuration of the NGINX server:
  1. $ kubectl create configmap nginx-configmap --from-file=nginx.conf=./nginx.conf
  • Deploy the NGINX server:
  1. $ cat <<EOF | istioctl kube-inject -f - | kubectl apply -f -
  2. apiVersion: v1
  3. kind: Service
  4. metadata:
  5. name: my-nginx
  6. labels:
  7. run: my-nginx
  8. spec:
  9. ports:
  10. - port: 443
  11. protocol: TCP
  12. selector:
  13. run: my-nginx
  14. ---
  15. apiVersion: apps/v1
  16. kind: Deployment
  17. metadata:
  18. name: my-nginx
  19. spec:
  20. selector:
  21. matchLabels:
  22. run: my-nginx
  23. replicas: 1
  24. template:
  25. metadata:
  26. labels:
  27. run: my-nginx
  28. spec:
  29. containers:
  30. - name: my-nginx
  31. image: nginx
  32. ports:
  33. - containerPort: 443
  34. volumeMounts:
  35. - name: nginx-config
  36. mountPath: /etc/nginx
  37. readOnly: true
  38. - name: nginx-server-certs
  39. mountPath: /etc/nginx-server-certs
  40. readOnly: true
  41. volumes:
  42. - name: nginx-config
  43. configMap:
  44. name: nginx-configmap
  45. - name: nginx-server-certs
  46. secret:
  47. secretName: nginx-server-certs
  48. EOF
  • To test that the NGINX server was deployed successfully, send a request to the server from its sidecar proxywithout checking the server’s certificate (use the -k option of curl). Ensure that the server’s certificate isprinted correctly, i.e., common name is equal to nginx.example.com.
  1. $ kubectl exec -it $(kubectl get pod -l run=my-nginx -o jsonpath={.items..metadata.name}) -c istio-proxy -- curl -v -k --resolve nginx.example.com:443:127.0.0.1 https://nginx.example.com
  2. ...
  3. SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
  4. server certificate verification SKIPPED
  5. server certificate status verification SKIPPED
  6. common name: nginx.example.com (matched)
  7. server certificate expiration date OK
  8. server certificate activation date OK
  9. certificate public key: RSA
  10. certificate version: #3
  11. subject: C=US,ST=Denial,L=Springfield,O=Dis,CN=nginx.example.com
  12. start date: Wed, 15 Aug 2018 07:29:07 GMT
  13. expire date: Sun, 25 Aug 2019 07:29:07 GMT
  14. issuer: C=US,ST=Denial,O=Dis,CN=nginx.example.com
  15. > GET / HTTP/1.1
  16. > User-Agent: curl/7.35.0
  17. > Host: nginx.example.com
  18. ...
  19. < HTTP/1.1 200 OK
  20. < Server: nginx/1.15.2
  21. ...
  22. <!DOCTYPE html>
  23. <html>
  24. <head>
  25. <title>Welcome to nginx!</title>
  26. ...

Configure an ingress gateway

  • Define a Gateway with a server section for port 443. Note the PASSTHROUGH tls mode which instructsthe gateway to pass the ingress traffic AS IS, without terminating TLS.
  1. $ kubectl apply -f - <<EOF
  2. apiVersion: networking.istio.io/v1alpha3
  3. kind: Gateway
  4. metadata:
  5. name: mygateway
  6. spec:
  7. selector:
  8. istio: ingressgateway # use istio default ingress gateway
  9. servers:
  10. - port:
  11. number: 443
  12. name: https
  13. protocol: HTTPS
  14. tls:
  15. mode: PASSTHROUGH
  16. hosts:
  17. - nginx.example.com
  18. EOF
  • Configure routes for traffic entering via the Gateway:
  1. $ kubectl apply -f - <<EOF
  2. apiVersion: networking.istio.io/v1alpha3
  3. kind: VirtualService
  4. metadata:
  5. name: nginx
  6. spec:
  7. hosts:
  8. - nginx.example.com
  9. gateways:
  10. - mygateway
  11. tls:
  12. - match:
  13. - port: 443
  14. sni_hosts:
  15. - nginx.example.com
  16. route:
  17. - destination:
  18. host: my-nginx
  19. port:
  20. number: 443
  21. EOF
  • Follow the instructions inDetermining the ingress IP and portsto define the SECURE_INGRESS_PORT and INGRESS_HOST environment variables.

  • Access the NGINX service from outside the cluster. Note that the correct certificate is returned by the server andit is successfully verified (SSL certificate verify ok is printed).

  1. $ curl -v --resolve nginx.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST --cacert nginx.example.com/2_intermediate/certs/ca-chain.cert.pem https://nginx.example.com:$SECURE_INGRESS_PORT
  2. Server certificate:
  3. subject: C=US; ST=Denial; L=Springfield; O=Dis; CN=nginx.example.com
  4. start date: Aug 15 07:29:07 2018 GMT
  5. expire date: Aug 25 07:29:07 2019 GMT
  6. common name: nginx.example.com (matched)
  7. issuer: C=US; ST=Denial; O=Dis; CN=nginx.example.com
  8. SSL certificate verify ok.
  9. < HTTP/1.1 200 OK
  10. < Server: nginx/1.15.2
  11. ...
  12. <html>
  13. <head>
  14. <title>Welcome to nginx!</title>

Cleanup

  • Remove created Kubernetes resources:
  1. $ kubectl delete secret nginx-server-certs
  2. $ kubectl delete configmap nginx-configmap
  3. $ kubectl delete service my-nginx
  4. $ kubectl delete deployment my-nginx
  5. $ kubectl delete gateway mygateway
  6. $ kubectl delete virtualservice nginx
  • Delete the directory containing the certificates and the repository used to generate them:
  1. $ rm -rf nginx.example.com mtls-go-example
  • Delete the generated configuration files used in this example:
  1. $ rm -f ./nginx.conf

See also

Istio as a Proxy for External Services

Configure Istio ingress gateway to act as a proxy for external services.

Kubernetes Ingress with Cert-Manager

Demonstrates how to obtain Let's Encrypt TLS certificates for Kubernetes Ingress automatically using Cert-Manager.

Deploy a Custom Ingress Gateway Using Cert-Manager

Describes how to deploy a custom ingress gateway using cert-manager manually.

Configuring Istio Ingress with AWS NLB

Describes how to configure Istio ingress with a network load balancer on AWS.

Consuming External Web Services

Describes a simple scenario based on Istio's Bookinfo example.

Ingress Gateways

Describes how to configure an Istio gateway to expose a service outside of the service mesh.