From 4228d9f3f9cd2305aa9af940eb172c07082d5930 Mon Sep 17 00:00:00 2001 From: danehans Date: Tue, 18 Oct 2022 15:20:50 -0700 Subject: [PATCH] Updates HTTPS Listener to Use Hostname Issue 601 Signed-off-by: danehans --- docs/user/secure-gateways.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/docs/user/secure-gateways.md b/docs/user/secure-gateways.md index af37505f8398..510c37e51113 100644 --- a/docs/user/secure-gateways.md +++ b/docs/user/secure-gateways.md @@ -25,17 +25,17 @@ Create a root certificate and private key to sign certificates: openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example.com.key -out example.com.crt ``` -Create a certificate and a private key for `www.example.com`: +Create a certificate and a private key for `secure.example.com`: ```shell -openssl req -out www.example.com.csr -newkey rsa:2048 -nodes -keyout www.example.com.key -subj "/CN=www.example.com/O=httpbin organization" -openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in www.example.com.csr -out www.example.com.crt +openssl req -out secure.example.com.csr -newkey rsa:2048 -nodes -keyout secure.example.com.key -subj "/CN=secure.example.com/O=example organization" +openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in secure.example.com.csr -out secure.example.com.crt ``` Store the cert/key in a Secret: ```shell -kubectl create secret tls example-cert --key=www.example.com.key --cert=www.example.com.crt +kubectl create secret tls example-cert --key=secure.example.com.key --cert=secure.example.com.crt ``` Update the Gateway from the Quickstart guide to include an HTTPS listener that listens on port `8443` and references the @@ -49,6 +49,7 @@ kubectl patch gateway eg --type=json --patch '[{ "name": "https", "protocol": "HTTPS", "port": 8443, + "hostname": "secure.example.com", "tls": { "mode": "Terminate", "certificateRefs": [{ @@ -80,8 +81,8 @@ kubectl -n envoy-gateway-system port-forward service/${ENVOY_SERVICE} 8043:8443 Query the example app through Envoy proxy: ```shell -curl -v -HHost:www.example.com --resolve "www.example.com:8043:127.0.0.1" \ ---cacert example.com.crt https://www.example.com:8043/get +curl -v -HHost:secure.example.com --resolve "secure.example.com:8043:127.0.0.1" \ +--cacert example.com.crt https://secure.example.com:8043/get ``` ### Clusters with External LoadBalancer Support @@ -95,8 +96,8 @@ export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0]. Query the example app through the Gateway: ```shell -curl -v -HHost:www.example.com --resolve "www.example.com:8443:${GATEWAY_HOST}" \ ---cacert example.com.crt https://www.example.com:8443/get +curl -v -HHost:secure.example.com --resolve "secure.example.com:8443:${GATEWAY_HOST}" \ +--cacert example.com.crt https://secure.example.com:8443/get ``` ## Multiple HTTPS Listeners @@ -139,7 +140,7 @@ spec: Store the previously created cert/key in Secret `example-cert-2`: ```shell -kubectl create secret tls example-cert-2 --key=www.example.com.key --cert=www.example.com.crt +kubectl create secret tls example-cert-2 --key=secure.example.com.key --cert=secure.example.com.crt ``` Follow the steps in the [Testing section](#testing) to test connectivity to the backend app through both Gateway @@ -180,7 +181,7 @@ kubectl delete secret/example-cert Recreate the example Secret in the `envoy-gateway-system` namespace: ```shell -kubectl create secret tls example-cert -n envoy-gateway-system --key=www.example.com.key --cert=www.example.com.crt +kubectl create secret tls example-cert -n envoy-gateway-system --key=secure.example.com.key --cert=secure.example.com.crt ``` Update the Gateway HTTPS listener with `namespace: envoy-gateway-system`, for example: @@ -228,6 +229,5 @@ kubectl delete secret/example-cert-2 Checkout the [Developer Guide](../../DEVELOPER.md) to get involved in the project. [kind]: https://kind.sigs.k8s.io/ -[httpbin_methods]: https://httpbin.org/#/HTTP_Methods [Issue 520]: https://github.com/envoyproxy/gateway/issues/520 [ReferenceGrant]: https://gateway-api.sigs.k8s.io/api-types/referencegrant/