Proxy GRPC Traffic over TLS
Create a GRPCRoute
resource, which will then be converted in to a Kong Gateway Service and Route.
Prerequisites
Kong Konnect
If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.
- The following Konnect items are required to complete this tutorial:
- Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
-
Set the personal access token as an environment variable:
export KONNECT_TOKEN='YOUR KONNECT TOKEN'
Copied to clipboard!
Annotate the Kubernetes service
All services are assumed to be either HTTP or HTTPS by default. We need to update the service to specify gRPC over TLS as the protocol by adding a konghq.com/protocol
annotation.
The annotation grpcs
informs Kong Gateway that this service is a gRPC (with TLS) service and not an HTTP service.
kubectl annotate service -n kong grpcbin 'konghq.com/protocol=grpcs'
Generate a TLS certificate
-
Create a test certificate for the
example.com
hostname. This will be used to secure TLS traffic.Older OpenSSL versions, including the version provided with macOS Monterey, require using the alternative version of this command.
-
Create a Secret containing the certificate:
kubectl create secret -n kong tls example.com --cert=./server.crt --key=./server.key
Copied to clipboard!
Route gRPC traffic
Now that the test application is running, you can create GRPC routing configuration that proxies traffic to the application.
Test the configuration
Use grpcurl
to send a gRPC request through the proxy:
grpcurl -d '{"greeting": "Kong"}' -authority example.com -insecure $PROXY_IP:443 hello.HelloService.SayHello
You should see the following response:
{
"reply": "hello Kong"
}
Cleanup
Delete created Kubernetes resources
kubectl delete -n kong -f https://developer.konghq.com/manifests/kic/grpcbin-service.yaml