Edit this page
Report an issueTLS Termination / Passthrough
Gateway API
The Gateway API supports both TLS termination and TLS passthrough. TLS handling is configured via a combination of a Gateway’s listeners[].tls.mode and the attached route type:
-
Passthroughmode listeners inspect the TLS stream hostname via server name indication and pass the TLS stream unaltered upstream. These listeners do not use certificate configuration. They only acceptTLSRoutes. -
Terminatemode listeners decrypt the TLS stream and inspect the request it wraps before passing it upstream. They require certificate Secret reference in thelisteners[].tls.[]certificateRefsfield. They acceptHTTPRoutes,TCPRoutes, andGRPCRoutes.
To terminate TLS, create a Gateway with a listener with .tls.mode: "Terminate", create a TLS Secret and add it to the listener .tls.certificateRefs array, and then create one of the supported route types with matching criteria that will bind it to the listener.
For HTTPRoute or GRPCRoute, the route’s hostname must match the listener hostname. For TCPRoute the route’s port must match the listener port.
Ingress
The Ingress API supports TLS termination using the .spec.tls field. To terminate TLS with the Ingress API, provide .spec.tls.secretName that contains a TLS certificate and a list of .spec.tls.hosts to match in your Ingress definition.
Examples
Prerequisites: Install Kong Ingress Controller with Gateway API support in your Kubernetes cluster and connect to Kong.
Prerequisites
Install the Gateway APIs
-
Install the experimental Gateway API CRDs before installing Kong Ingress Controller.
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/experimental-install.yaml -
Create a
GatewayandGatewayClassinstance to use.echo " --- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: name: kong annotations: konghq.com/gatewayclass-unmanaged: 'true' spec: controllerName: konghq.com/kic-gateway-controller --- apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: kong spec: gatewayClassName: kong listeners: - name: proxy port: 80 protocol: HTTP allowedRoutes: namespaces: from: All " | kubectl apply -f -The results should look like this:
gatewayclass.gateway.networking.k8s.io/kong created gateway.gateway.networking.k8s.io/kong created
Install Kong
You can install Kong in your Kubernetes cluster using Helm.
-
Add the Kong Helm charts:
helm repo add kong https://charts.konghq.com helm repo update -
Install Kong Ingress Controller and Kong Gateway with Helm:
helm install kong kong/ingress -n kong --create-namespace -
Enable the Gateway API Alpha feature gate:
kubectl set env -n kong deployment/kong-controller CONTROLLER_FEATURE_GATES="GatewayAlpha=true" -c ingress-controllerThe results should look like this:
deployment.apps/kong-controller env updated
Test connectivity to Kong
Kubernetes exposes the proxy through a Kubernetes service. Run the following commands to store the load balancer IP address in a variable named PROXY_IP:
-
Populate
$PROXY_IPfor future commands:export PROXY_IP=$(kubectl get svc --namespace kong kong-gateway-proxy -o jsonpath='{.status.loadBalancer.ingress[0].ip}') echo $PROXY_IP -
Ensure that you can call the proxy IP:
curl -i $PROXY_IPThe results should look like this:
HTTP/1.1 404 Not Found Content-Type: application/json; charset=utf-8 Connection: keep-alive Content-Length: 48 X-Kong-Response-Latency: 0 Server: kong/3.0.0 {"message":"no Route matched with those values"}
TLS Termination
-
Deploy the
echoservice as a target for our HTTPRouteskubectl apply -f https://docs.konghq.com/assets/kubernetes-ingress-controller/examples/echo-service.yamlFor TLS termination, you need to configure a
Secretfor listener certificate on theGatewayor for the certificate onspec.tlsof theIngress. This certificate will be used in setting up TLS connection between your client and Kong Gateway. -
Create a test certificate for the
demo.example.comhostname.The results should look like this:
Older OpenSSL versions, including the version provided with OS X Monterey, require using the alternative version of this command.
-
Create a Secret containing the certificate.
kubectl create secret tls demo.example.com --cert=./server.crt --key=./server.keyThe results should look like this:
secret/demo.example.com created
Verification
You can verify the configuration by using curl:
curl --cacert ./server.crt -i -k -v -H "Host:demo.example.com" https://${PROXY_IP}/echo
You should get the following response:
Running on Pod example-echo-server-abcdef1-xxxxx
TLS Passthrough
For TLS passthrough, you also need to create a Secret for the TLS secret that is used for creating TLS connection between your client and the backend server.
-
Create a test certificate for the
demo.example.comhostname.The results should look like this:
Older OpenSSL versions, including the version provided with OS X Monterey, require using the alternative version of this command.
- Create a Secret containing the certificate.
kubectl create secret tls demo.example.com --cert=./server.crt --key=./server.keyThe results should look like this:
secret/demo.example.com created -
Configure Kong Gateway to listen on a TLS port and enable
TLSRoutein Kong Ingress Controller:Create
values-tls-passthrough.yaml:echo ' gateway: env: stream_listen: "0.0.0.0:8899 ssl" # listen a TLS port proxy: stream: - containerPort: 8899 # configure the service to forward traffic to the TLS port servicePort: 8899 controller: ingressController: env: feature_gates: "GatewayAlpha=true" # enable GatewayAlpha feature gate to turn on TLSRoute controller ' > values-tls-passthrough.yaml -
Deploy Kong Ingress Controller with:
helm upgrade -i kong kong/ingress -n kong --values values-tls-passthrough.yaml --create-namespaceThen you can create a
Deploymentto run a server accepting TLS connections with the certificate created previously, and aServiceto expose the server: -
Deploy the
tlsechoservice as a target for our HTTPRouteskubectl apply -f https://docs.konghq.com/assets/kubernetes-ingress-controller/examples/tls-echo-service.yaml
Verification
To verify that the TLS passthrough is configured correctly (for example, by openssl’s TLS client) use the following commands:
openssl s_client -connect ${PROXY_IP}:8899 -servername demo.example.com
You should receive the following content from the connection:
Running on Pod example-tlsroute-manifest.
Through TLS connection.
