Securing Your First Application Exposed Using TEG
The steps described in Expose Your Application exposed the httpbin application running in your cluster to external clients. Requests were sent to your application and each request passed through TEG. However, the requests sent by client were sent in clear-text. Follow the steps below to secure communication between your client and Tetrate Envoy Gateway.
Serving TLS to Clients
In this scenario communication between your client and TEG is encrypted using TLS. The encryption is terminated at the gateway. TLS uses public key encryption and in this scenario, only TEG maintains the public and private key pair. The client uses the gateway's public key to encrypt the communication. The gateway uses self-signed certificates. Self-signed certificates are not recommended for production scenario, but are sufficient for TLS demonstration purposes.
The configuration specified below preserves the clear-text port configured in Expose Your Application and adds additional port 443 over which the same application is exposed to external clients over TLS.
Generating the Certificates
Create a root certificate and private key to sign certificates:
openssl req -x509 -sha256 -nodes -days 365 \
-newkey rsa:2048 \
-subj '/O=example Inc./CN=example.com' \
-keyout example.com.key \
-out example.com.crt
Create a certificate and a private key for www.example.com:
openssl req -out www.example.com.csr \
-newkey rsa:2048 -nodes \
-keyout www.example.com.key \
-subj "/CN=www.example.com/O=example organization"
openssl x509 -req -days 365 \
-CA example.com.crt \
-CAkey example.com.key \
-set_serial 0 \
-in www.example.com.csr \
-out www.example.com.crt
In order for Tetrate Envoy Gateway to be able to use generated certificates, they need to be saved in the Kubernetes cluster as secrets, in the same namespace as the httpbin application:
kubectl create secret tls example-cert \
--key=www.example.com.key \
--cert=www.example.com.crt \
-n httpbin
Modify the Gateway config to expose your application over TLS on port 443:
kubectl patch gateway dedicated-gateway -n httpbin --type=json --patch '[{
"op": "add",
"path": "/spec/listeners/-",
"value": {
"name": "https",
"protocol": "HTTPS",
"port": 443,
"tls": {
"mode": "Terminate",
"certificateRefs": [{
"kind": "Secret",
"group": "",
"name": "example-cert",
}],
},
},
}]'
Making HTTPS request to your httpbin application from outside the cluster
As described in Expose Your Application, the client needs Tetrate Envoy Gateway's external IP address:
export DEDICATED_GATEWAY_IP=$(kubectl get service -l gateway.envoyproxy.io/owning-gateway-namespace=httpbin -n envoy-gateway-system -o jsonpath='{.items[0].status.loadBalancer.ingress[0].ip}')
Now you can perform a request and examine the output:
curl --head -HHost:www.example.com \
--resolve "www.example.com:443:${DEDICATED_GATEWAY_IP}" \
--cacert example.com.crt \
https://www.example.com/httpbin/status/200
Output:
HTTP/2 200
server: envoy
date: Mon, 04 Sep 2023 15:15:32 GMT
content-type: text/html; charset=utf-8
access-control-allow-origin: *
access-control-allow-credentials: true
content-length: 0
x-envoy-upstream-service-time: 2