Ingress Gateway without TLS Termination
The Securing Gateways with HTTPS6 task describes how to configure HTTPS ingress access to an HTTP service. This example describes how to configure HTTPS ingress access to an HTTPS service, i.e., configure an ingress gateway to perform SNI passthrough, instead of TLS termination on incoming requests.
The example HTTPS service used for this task is a simple NGINX7 server.
In the following steps you first deploy the NGINX service in your Kubernetes cluster.
Then you configure a gateway to provide ingress access to the service via host nginx.example.com
.
Before you begin
Setup Istio by following the instructions in the Installation guide9.
Generate client and server certificates and keys
For this task you can use your favorite tool to generate certificates and keys. The commands below use openssl10:
Create a root certificate and private key to sign the certificate for your services:
Create a certificate and a private key for
nginx.example.com
:
Deploy an NGINX server
Create a Kubernetes Secret11 to hold the server’s certificate.
Create a configuration file for the NGINX server:
Create a Kubernetes ConfigMap12 to hold the configuration of the NGINX server:
Deploy the NGINX server:
To test that the NGINX server was deployed successfully, send a request to the server from its sidecar proxy without checking the server’s certificate (use the
-k
option ofcurl
). Ensure that the server’s certificate is printed correctly, i.e.,common name (CN)
is equal tonginx.example.com
.
Configure an ingress gateway
- Define a
Gateway
exposing port 443 with passthrough TLS mode. This instructs the gateway to pass the ingress traffic “as is”, without terminating TLS:
- Configure routes for traffic entering via the
Gateway
:
- Determine the ingress IP and port:
SECURE_INGRESS_PORT
and INGRESS_HOST
environment variables.Use the following commands to set the SECURE_INGRESS_PORT
and INGRESS_HOST
environment variables:
Access the NGINX service from outside the cluster. Note that the correct certificate is returned by the server and it is successfully verified (SSL certificate verify ok is printed).
Cleanup
- Delete the gateway configuration and route:
Remove the NGINX resources and configuration file:
Delete the certificates and keys: