This topic describes how to connect to an ingress gateway through HTTPS.

Prerequisites

  1. Connect to the target Kubernetes cluster through CloudShell.
  2. Run the curl --version | grep LibreSSL command to check the test environment.
    If the output contains LibreSSL version information, it indicates that Curl is compiled with LibreSSL and the environment is ready.
    curl 7.54.0 (x86_64-apple-darwin18.0) libcurl/7.54.0 LibreSSL/2.6.4 zlib/1.2.11 nghttp2/1.24.1
  3. Deploy the Bookinfo application. For more information, see Deploy the Bookinfo application.
  4. Run the following commands to set the access endpoint:
    export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
    export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?( @.name=="http")].port}')
    export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?( @.name=="https")].port}')
  5. Run the following commands to delete the existing gateway and VirtualService:
    kubectl delete gateway --all
    kubectl delete virtualservice --all

Generate the certificate

Use mtls go example to generate the required certificate by running the following commands in CloudShell:
1. git clone https://github.com/nicholasjackson/mtls-go-example
2. pushd mtls-go-example
3. ./generate.sh bookinfo.com  <password>
4. mkdir ~+1/bookinfo.com && mv 1_root 2_intermediate 3_application 4_client ~+1/bookinfo.com
5. popd

Configure the TLS ingress gateway

  1. Run the following command to create a secret to save the certificate content:
    kubectl create -n istio-system secret tls istio-ingressgateway-certs --key bookinfo.com/3_application/private/bookinfo.com.key.pem --cert bookinfo.com/3_application/certs/bookinfo.com.cert.pem
  2. Create a book-info-gateway.yaml file with the following content and run the kubectl apply -f book-info-gateway.yaml command to define a gateway named bookinfo-gateway.
    apiVersion: networking.istio.io/v1alpha3
    kind: Gateway
    metadata:
      name: bookinfo-gateway
    spec:
      selector:
        istio: ingressgateway # use istio default ingress gateway
      servers:
      - port:
          number: 443
          name: https
          protocol: HTTPS
        tls:
          mode: SIMPLE
          serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
          privateKey: /etc/istio/ingressgateway-certs/tls.key
        hosts:
        - "bookinfo.com"
  3. Create a book-info-vs.yaml file with the following content and run the kubectl apply -f book-info-vs.yaml command to configure a routing rule that is associated with bookinfo-gateway.
    apiVersion: networking.istio.io/v1alpha3
    kind: VirtualService
    metadata:
      name: bookinfo
    spec:
      hosts:
      - "bookinfo.com"
      gateways:
      - bookinfo-gateway
      http:
      - match:
        - uri:
            exact: /productpage
        - uri:
            exact: /login
        - uri:
            exact: /logout
        - uri:
            prefix: /api/v1/products
        route:
        - destination:
            host: productpage
            port:
            number: 9080
  4. Run the following command to access the Bookinfo service:
    curl -v -HHost:bookinfo.com --resolve bookinfo.com:$SECURE_INGRESS_PORT:$INGRESS_HOST --cacert bookinfo.com/2_intermediate/certs/ca-chain.cert.pem https://bookinfo.com:$SECURE_INGRESS_PORT/status/418
    Note To access the service through a browser, configure DNS settings or add a hosts entry first.