Setting up TLS for Kubernetes Gateway API with Cilium and Cert-Manager

This guide demonstrates how to configure Transport Layer Security (TLS) for a Kubernetes Gateway using the Gateway API, Cilium, and Cert-Manager. We'll leverage Cilium's Envoy proxy integration for efficient and secure routing. This setup enables HTTPS access to your applications, enhancing security and providing a robust infrastructure.

Prerequisites:

  • A Kubernetes cluster (we'll use kind for this example).
  • Cilium installed (version 1.16.5 or later recommended). Upgrade instructions are included below.
  • Cert-Manager configured to manage certificates. A self-signed issuer will be used for simplicity in this tutorial.
  • Gateway API CRDs installed.

1. Setting up the Cilium LoadBalancer IP Pool:

Cilium's LoadBalancer allows assigning IPs from a defined range. Create an IP pool using the following command:

cat << EOF | kubectl apply -f -
apiVersion: "cilium.io/v2alpha1"
kind: CiliumLoadBalancerIPPool
metadata:
  name: "test-pool"
spec:
  blocks:
  - start: "172.18.0.10"
    stop: "172.18.0.50"
EOF

2. Configuring a Self-Signed Certificate Issuer with Cert-Manager:

For this tutorial, we'll utilize a self-signed certificate. Create a ClusterIssuer for Cert-Manager:

cat << EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-cluster-issuer
  namespace: cert-manager
spec:
  selfSigned: {}
EOF

3. Installing and Configuring Cilium with Gateway API Support:

Ensure Gateway API CRDs are installed before installing/upgrading Cilium:

kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml

Install or upgrade Cilium with Gateway API enabled:

cilium install --version 1.16.5 --set kubeProxyReplacement=true --set gatewayAPI.enabled=true
# Or for upgrade: cilium upgrade --version 1.16.5 --set kubeProxyReplacement=true --set gatewayAPI.enabled=true

Verify Cilium GatewayClass is installed:

kubectl get gatewayclass

4. Creating the TLS Certificate:

Generate a certificate using Cert-Manager:

cat << EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: grafana-tls
  namespace: kube-system
spec:
  dnsNames:
  - gfn.zozoo.io
  issuerRef:
    kind: ClusterIssuer
    name: selfsigned-cluster-issuer
  secretName: grafana-tls
EOF

Verify certificate creation:

kubectl get certificates -n kube-system

5. Deploying the Gateway:

Create a Gateway resource to handle HTTP and HTTPS traffic:

cat << EOF | kubectl apply -f -
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: cilium-gateway
  namespace: kube-system
spec:
  gatewayClassName: cilium
  listeners:
  - allowedRoutes:
      namespaces:
        from: Selector
        selector:
          matchLabels:
            gw-access: "true"
    name: http
    port: 80
    protocol: HTTP
  - allowedRoutes:
      namespaces:
        from: Selector
        selector:
          matchLabels:
            gw-access: "true"
    name: https
    port: 443
    protocol: HTTPS
    tls:
      certificateRefs:
      - group: ""
        kind: Secret
        name: grafana-tls
      mode: Terminate
EOF

6. Configuring HTTPRoutes:

Create HTTPRoutes to define routing rules. This example shows routing to a Grafana service and a redirect from HTTP to HTTPS:

(a) Grafana HTTPRoute:

cat << EOF | kubectl apply -f -
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: grafana
  namespace: monitoring
spec:
  hostnames:
  - gfn.zozoo.io
  parentRefs:
  - group: gateway.networking.k8s.io
    kind: Gateway
    name: cilium-gateway
    namespace: kube-system
    sectionName: https
  rules:
  - backendRefs:
    - group: ""
      kind: Service
      name: grafana
      port: 80
      weight: 1
    matches:
    - path:
        type: PathPrefix
        value: /
EOF

(b) HTTP to HTTPS Redirect:

cat << EOF | kubectl apply -f -
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: http-filter-redirect
  namespace: monitoring
spec:
  parentRefs:
  - name: cilium-gateway
    sectionName: http
    namespace: kube-system
  hostnames:
  - gfn.zozoo.io
  rules:
  - filters:
    - type: RequestRedirect
      requestRedirect:
        scheme: https
        statusCode: 301
EOF

7. Testing:

Verify the setup by accessing gfn.zozoo.io (remember to update your /etc/hosts file accordingly). You should observe a redirect from HTTP to HTTPS, followed by successful access to your application.

This comprehensive guide provides a robust foundation for securing your Kubernetes applications with TLS using the Gateway API, Cilium, and Cert-Manager. Remember to replace placeholder values (e.g., gfn.zozoo.io, namespaces) with your actual details.