Set up a TLS Gateway
This tutorial shows how to set up a TLS Gateway in both manual and simple modes. It also explains how to configure authentication for an mTLS Gateway based on certificate details.
Prerequisites
- Deploy a sample HttpBin service and a sample Function.
Set up your custom domain and export the following values as environment variables:
Click to copyexport DOMAIN_TO_EXPOSE_WORKLOADS={DOMAIN_NAME}export GATEWAY=$NAMESPACE/httpbin-gateway
Set up a TLS Gateway in simple mode
To create a TLS Gateway in simple mode, run:
Click to copy
cat <<EOF | kubectl apply -f ----apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata: name: httpbin-gateway namespace: $NAMESPACEspec: selector: istio: ingressgateway # Use Istio Ingress Gateway as default servers: - port: number: 443 name: https protocol: HTTPS tls: mode: SIMPLE credentialName: $TLS_SECRET hosts: - "*.$DOMAIN_TO_EXPOSE_WORKLOADS"EOF
Set up a TLS Gateway in mutual mode
Create a mutual TLS Gateway. Run:
Click to copycat <<EOF | kubectl apply -f ----apiVersion: networking.istio.io/v1beta1kind: Gatewaymetadata:name: ${MTLS_GATEWAY_NAME}namespace: ${NAMESPACE}spec:selector:istio: ingressgatewayapp: istio-ingressgatewayservers:- port:number: 443name: httpsprotocol: HTTPStls:mode: MUTUALcredentialName: ${TLS_SECRET}minProtocolVersion: TLSV1_2cipherSuites:- ECDHE-RSA-CHACHA20-POLY1305- ECDHE-RSA-AES256-GCM-SHA384- ECDHE-RSA-AES256-SHA- ECDHE-RSA-AES128-GCM-SHA256- ECDHE-RSA-AES128-SHAhosts:- '*.${DOMAIN_TO_EXPOSE_WORKLOADS}'- port:number: 80name: httpprotocol: HTTPtls:httpsRedirect: truehosts:- '*.${DOMAIN_TO_EXPOSE_WORKLOADS}'EOFExport the following value as an environment variable:
Click to copyexport CLIENT_ROOT_CA_CRT_ENCODED=$(cat ${CLIENT_ROOT_CA_CRT_FILE}| base64)Add client root CA to the CA cert bundle Secret for mTLS Gateway. Run:
Click to copycat <<EOF | kubectl apply -f ----apiVersion: v1kind: Secretmetadata:name: ${TLS_SECRET}-cacertnamespace: istio-systemtype: Opaquedata:cacert: ${CLIENT_ROOT_CA_CRT_ENCODED}EOF