Proxy GRPC Traffic over TLS

Uses: Kong Ingress Controller

Deployment Platform:

Prerequisites

Kong Konnect

If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

The following Konnect items are required to complete this tutorial:
- Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
Set the personal access token as an environment variable:
```
export KONNECT_TOKEN='YOUR KONNECT TOKEN'
```
Copied to clipboard!

Enable the Gateway API

Install the Gateway API CRDs before installing Kong Ingress Controller.

kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/standard-install.yaml

Copied to clipboard!

Create a Gateway and GatewayClass instance to use.

echo "
apiVersion: v1
kind: Namespace
metadata:
  name: kong
---
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: kong
  annotations:
    konghq.com/gatewayclass-unmanaged: 'true'
spec:
  controllerName: konghq.com/kic-gateway-controller
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: kong
spec:
  gatewayClassName: kong
  listeners:
  - name: proxy
    port: 80
    protocol: HTTP
    allowedRoutes:
      namespaces:
         from: All
" | kubectl apply -n kong -f -

      
        
      
    
Copied to clipboard!

Create a KIC Control Plane

Use the Konnect API to create a new CLUSTER_TYPE_K8S_INGRESS_CONTROLLER Control Plane:

CONTROL_PLANE_DETAILS=$(curl -X POST "https://us.api.konghq.com/v2/control-planes" \
     -H "Authorization: Bearer $KONNECT_TOKEN" \
     --json '{
       "name": "My KIC CP",
       "cluster_type": "CLUSTER_TYPE_K8S_INGRESS_CONTROLLER"
     }')

Copied to clipboard!

We’ll need the id and telemetry_endpoint for the values.yaml file later. Save them as environment variables:

CONTROL_PLANE_ID=$(echo $CONTROL_PLANE_DETAILS | jq -r .id)
CONTROL_PLANE_TELEMETRY=$(echo $CONTROL_PLANE_DETAILS | jq -r '.config.telemetry_endpoint | sub("https://";"")')

Copied to clipboard!

Create mTLS certificates

Kong Ingress Controller talks to Konnect over a connected secured with TLS certificates.

Generate a new certificate using openssl:

openssl req -new -x509 -nodes -newkey rsa:2048 -subj "/CN=kongdp/C=US" -keyout ./tls.key -out ./tls.crt

Copied to clipboard!

The certificate needs to be a single line string to send it to the Konnect API with curl. Use awk to format the certificate:

export CERT=$(awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' tls.crt);

Copied to clipboard!

Next, upload the certificate to Konnect:

curl -X POST "https://us.api.konghq.com/v2/control-planes/$CONTROL_PLANE_ID/dp-client-certificates" \
     -H "Authorization: Bearer $KONNECT_TOKEN" \
     --json '{
       "cert": "'$CERT'"
     }'

Copied to clipboard!

Finally, store the certificate in a Kubernetes secret so that Kong Ingress Controller can read it:

kubectl create namespace kong -o yaml --dry-run=client | kubectl apply -f -
kubectl create secret tls konnect-client-tls -n kong --cert=./tls.crt --key=./tls.key

Copied to clipboard!

Kong Ingress Controller running (attached to Konnect)

Add the Kong Helm charts:

helm repo add kong https://charts.konghq.com
helm repo update

Copied to clipboard!

Create a values.yaml file:

cat <<EOF > values.yaml
controller:
  ingressController:
    image:
      tag: "3.4"
    env:
      feature_gates: "FillIDs=true"
    konnect:
      license:
        enabled: true
      enabled: true
      controlPlaneID: "$CONTROL_PLANE_ID"
      tlsClientCertSecretName: konnect-client-tls
      apiHostname: "us.kic.api.konghq.com"
gateway:
  image:
    repository: kong/kong-gateway
  env:
    konnect_mode: 'on'
    vitals: "off"
    cluster_mtls: pki
    cluster_telemetry_endpoint: "$CONTROL_PLANE_TELEMETRY:443"
    cluster_telemetry_server_name: "$CONTROL_PLANE_TELEMETRY"
    cluster_cert: /etc/secrets/konnect-client-tls/tls.crt
    cluster_cert_key: /etc/secrets/konnect-client-tls/tls.key
    lua_ssl_trusted_certificate: system
    proxy_access_log: "off"
    dns_stale_ttl: "3600"
  secretVolumes:
     - konnect-client-tls
EOF

      
        
      
    
Copied to clipboard!

Install Kong Ingress Controller using Helm:

helm install kong kong/ingress -n kong --create-namespace --values ./values.yaml

Copied to clipboard!

Set $PROXY_IP as an environment variable for future commands:

export PROXY_IP=$(kubectl get svc --namespace kong kong-gateway-proxy -o jsonpath='{range .status.loadBalancer.ingress[0]}{@.ip}{@.hostname}{end}')
echo $PROXY_IP

Copied to clipboard!

Kong Ingress Controller running

Add the Kong Helm charts:

helm repo add kong https://charts.konghq.com
helm repo update

Copied to clipboard!

Install Kong Ingress Controller using Helm:

helm install kong kong/ingress -n kong --create-namespace

Copied to clipboard!

Set $PROXY_IP as an environment variable for future commands:

export PROXY_IP=$(kubectl get svc --namespace kong kong-gateway-proxy -o jsonpath='{range .status.loadBalancer.ingress[0]}{@.ip}{@.hostname}{end}')
echo $PROXY_IP

Copied to clipboard!

Required Kubernetes resources

This how-to requires some Kubernetes services to be available in your cluster. These services will be used by the resources created in this how-to.

kubectl apply -f https://developer.konghq.com/manifests/kic/grpcbin-service.yaml -n kong

Copied to clipboard!

gRPCurl installed

Annotate the Kubernetes service

All services are assumed to be either HTTP or HTTPS by default. We need to update the service to specify gRPC over TLS as the protocol by adding a konghq.com/protocol annotation.

The annotation grpcs informs Kong Gateway that this service is a gRPC (with TLS) service and not an HTTP service.

kubectl annotate service -n kong grpcbin 'konghq.com/protocol=grpcs'

Copied to clipboard!

Generate a TLS certificate

Create a test certificate for the example.com hostname. This will be used to secure TLS traffic.

openssl req -subj '/CN=example.com' -new -newkey rsa:2048 -sha256 \
   -days 365 -nodes -x509 -keyout server.key -out server.crt \
   -addext "subjectAltName = DNS:example.com" \
   -addext "keyUsage = digitalSignature" \
   -addext "extendedKeyUsage = serverAuth" 2> /dev/null;
   openssl x509 -in server.crt -subject -noout

Copied to clipboard!

openssl req -subj '/CN=example.com' -new -newkey rsa:2048 -sha256 \
   -days 365 -nodes -x509 -keyout server.key -out server.crt \
   -extensions EXT -config <( \
    printf "[dn]\nCN=example.com\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:example.com\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth") 2>/dev/null;
   openssl x509 -in server.crt -subject -noout

Copied to clipboard!

Older OpenSSL versions, including the version provided with macOS Monterey, require using the alternative version of this command.

Create a Secret containing the certificate:

 kubectl create secret -n kong tls example.com --cert=./server.crt --key=./server.key

Copied to clipboard!

Route gRPC traffic

Now that the test application is running, you can create GRPC routing configuration that proxies traffic to the application.

To reconcile the GRPCRoute, configure an additional TLS listener configured on your Gateway resource:

kubectl patch -n kong --type=json gateway kong -p='[
    {
        "op":"add",
        "path":"/spec/listeners/-",
        "value":{
            "name":"grpc",
            "port":443,
            "protocol":"HTTPS",
            "hostname":"example.com",
            "tls": {
                "certificateRefs":[{
                    "group":"",
                    "kind":"Secret",
                    "name":"example.com"
                 }]
            }
        }
    }
]'

      
        
      
    
Copied to clipboard!

Next, create a GRPCRoute:

echo 'apiVersion: gateway.networking.k8s.io/v1
kind: GRPCRoute
metadata:
  name: grpcbin
  namespace: kong
spec:
  parentRefs:
  - name: kong
  hostnames:
  - "example.com"
  rules:
  - backendRefs:
    - name: grpcbin
      port: 9001
' | kubectl apply -f -

      
        
      
    
Copied to clipboard!

All routes and services are assumed to be either HTTP or HTTPS by default. We need to update the service to specify gRPC as the protocol by adding a konghq.com/protocols annotation.

This annotation informs Kong Gateway that this Ingress routes gRPC (with TLS) traffic and not HTTP traffic.

echo "apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: grpcbin
  namespace: kong
  annotations:
    konghq.com/protocols: grpcs
spec:
  ingressClassName: kong
  rules:
  - http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: grpcbin
            port:
              number: 9001" | kubectl apply -f -

      
        
      
    
Copied to clipboard!

Test the configuration

Use grpcurl to send a gRPC request through the proxy:

grpcurl -d '{"greeting": "Kong"}' -authority example.com -insecure $PROXY_IP:443 hello.HelloService.SayHello

Copied to clipboard!

You should see the following response:

{
  "reply": "hello Kong"
}

Copied to clipboard!