How to set gatteway api with HTTPS tls cert

General Discussions
1

Asking for help? Comment out what you need so we can get more information to help you!

From kuberent website , it only provide the info for general HTTP based listeners.

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: example-gateway
spec:
  gatewayClassName: example-class
  listeners:
  - name: http
    protocol: HTTP
    port: 80

I need to set the gateway API with HPPS and tls cert for my cluster.
How should I do it ?
is this correct way ?

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: example-gateway
spec:
  gatewayClassName: example-class
  listeners:
  - protocol: HTTPS
    port: 443
   hostname: foo.example.com
   tls:
      certificateRefs:
      - kind: Secret
        group: ""
        name: foo-example-com-cert
2

Hi Megan_Liu.
It’s almost correct:

  • some identation is not ok
  • listener name is missing

So, the manifest correct would be:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: example-gateway
spec:
  gatewayClassName: example-class
  listeners:
	- protocol: HTTPS
	  name: https
	  port: 443
	  hostname: foo.example.com
	  tls:
		mode: Terminate
		certificateRefs:
		  - kind: Secret
			group: ""  #  Can be omitted if it is from the main API group (empty by default)
			name: tls-secret

But, a gateway is just a piece.
If you need to test something like: curl -k https://foo.example.com:30080, you must have the following components for your gateway it works:

  1. install all gateway CRD/controllers (typically are already installed)
  2. replace “example-class” by the correct name (give this command and use name under “NAME” column: kubectl get gatewayclasses.gateway.networking.k8s.io)
  3. create a TLS secret (please run: ‘kubectl create secret tls --help’, to see more details how to create it)
  4. create a deployment or at least a pod (I suggest with nginx image, just to test)
  5. create a service to expose the app for the previous step
  6. create HTTPRoute object

After create the gateway you referred you should create an http route to test; I suggest something like this:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: example-httproute
spec:
  parentRefs:
  - name: example-gateway
  hostnames:
  - "foo.example.com"
  rules:
  - matches:
	- path:
		type: PathPrefix
		value: /
	backendRefs:
	- name: example-svc
	  port: 8080  # assuming that the service created in the step 5, was create with port=8080

Be sure that your gateways CRDs included a serviço of type NodePort where you can get the right port to test.
For that, you can run this command: kubectl get svc -A| grep gateway| grep NodePort

Get the IP of one of your nodes (command: kubectl get nodes -o wide) and add the name foo.example.com in your /etc/hosts in the line that corresponds to the node IP.

Finelly you can test the url with: curl -k https://foo.example.com:30080 (the port may difer)
and you will nginx default page :slight_smile:

I hope it helps! :slight_smile: