Configuring TLS termination at the Gateway level allows Kong Operator to manage SSL/TLS certificates and decrypt incoming traffic before it reaches your services. This guide shows how to set up an HTTPS listener using the standard Kubernetes Gateway API.
Proxy HTTPS traffic with TLS termination
Uses:
Kong Operator
Deployment Platform
Related Documentation
TL;DR
Add an HTTPS protocol listener to your Gateway resource and reference a Kubernetes Secret containing your TLS certificate and key.
Prerequisites
Kong Konnect
If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.
- The following Konnect items are required to complete this tutorial:
- Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
-
Set the personal access token as an environment variable:
export KONNECT_TOKEN='YOUR KONNECT TOKEN'Copied!
Kong Operator running
-
Add the Kong Helm charts:
helm repo add kong https://charts.konghq.com helm repo updateCopied! -
Install Kong Operator using Helm:
helm upgrade --install kong-operator kong/kong-operator -n kong-system \ --create-namespace \ --set image.tag=2.1.0 \ --set env.ENABLE_CONTROLLER_KONNECT=trueCopied!helm upgrade --install kong-operator kong/kong-operator -n kong-system \ --create-namespace \ --set image.tag=2.1.0Copied!If you want cert-manager to issue and rotate the admission and conversion webhook certificates, install cert-manager to your cluster and enable cert-manager integration by passing the following argument while installing, in the next step:
--set global.webhooks.options.certManager.enabled=trueCopied!If you do not enable this, the chart will generate and inject self-signed certificates automatically. We recommend enabling cert-manager to manage the lifecycle of these certificates.
Kong Operator needs a certificate authority to sign the certificate for mTLS communication between the control plane and the data plane. This is handled automatically by the Helm chart. If you need to provide a custom CA certificate, refer to the
certificateAuthoritysection in thevalues.yamlof the Helm chart to learn how to create and reference your own CA certificate.
This tutorial doesn’t require a license, but you can add one using KongLicense. This assumes that your license is available in ./license.json.
echo "
apiVersion: configuration.konghq.com/v1alpha1
kind: KongLicense
metadata:
name: kong-license
rawLicenseString: '$(cat ./license.json)'
" | kubectl apply -f -
Copied!
Kong Operator running
-
Add the Kong Helm charts:
helm repo add kong https://charts.konghq.com helm repo updateCopied! -
Install Kong Operator using Helm:
helm upgrade --install kong-operator kong/kong-operator -n kong-system \ --create-namespace \ --set image.tag=2.1.0 \ --set env.ENABLE_CONTROLLER_KONNECT=trueCopied!helm upgrade --install kong-operator kong/kong-operator -n kong-system \ --create-namespace \ --set image.tag=2.1.0Copied!If you want cert-manager to issue and rotate the admission and conversion webhook certificates, install cert-manager to your cluster and enable cert-manager integration by passing the following argument while installing, in the next step:
--set global.webhooks.options.certManager.enabled=trueCopied!If you do not enable this, the chart will generate and inject self-signed certificates automatically. We recommend enabling cert-manager to manage the lifecycle of these certificates.
Kong Operator needs a certificate authority to sign the certificate for mTLS communication between the control plane and the data plane. This is handled automatically by the Helm chart. If you need to provide a custom CA certificate, refer to the
certificateAuthoritysection in thevalues.yamlof the Helm chart to learn how to create and reference your own CA certificate.
This tutorial doesn’t require a license, but you can add one using KongLicense. This assumes that your license is available in ./license.json.
echo "
apiVersion: configuration.konghq.com/v1alpha1
kind: KongLicense
metadata:
name: kong-license
rawLicenseString: '$(cat ./license.json)'
" | kubectl apply -f -
Copied!
Create a KonnectAPIAuthConfiguration resource
kubectl create namespace kong --dry-run=client -o yaml | kubectl apply -f -
echo '
kind: KonnectAPIAuthConfiguration
apiVersion: konnect.konghq.com/v1alpha1
metadata:
name: konnect-api-auth
namespace: kong
spec:
type: token
token: "'$KONNECT_TOKEN'"
serverURL: us.api.konghq.com
' | kubectl apply -f -
Copied!
Create a KonnectGatewayControlPlane resource
echo '
kind: KonnectGatewayControlPlane
apiVersion: konnect.konghq.com/v1alpha2
metadata:
name: gateway-control-plane
namespace: kong
spec:
createControlPlaneRequest:
name: gateway-control-plane
konnect:
authRef:
name: konnect-api-auth
' | kubectl apply -f -
Copied!
Create the kong namespace
Create the kong namespace in your Kubernetes cluster, which is where the demo will run:
kubectl create namespace kong
Copied!
Create a certificate
- Create a self-signed certificate:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=demo.example.com"Copied! - Create a Kubernetes secret containing the certificate and key:
echo "apiVersion: v1 kind: Secret metadata: name: my-certificate namespace: kong type: kubernetes.io/tls data: tls.crt: "$(cat tls.crt | base64)" tls.key: "$(cat tls.key | base64)"" | kubectl apply -f -Copied!
Configure the Gateway
Create the following resources:
- A
GatewayConfigurationand aGatewayClassto configure your gateway with the latest Kong Gateway version and Kong Operator as the controller. - A
Gatewaywith a listener on port 443 with theHTTPSprotocol and a reference to the Secret we created.
echo '
apiVersion: gateway-operator.konghq.com/v2beta1
kind: GatewayConfiguration
metadata:
name: kong-gateway-configuration
namespace: kong
spec:
dataPlaneOptions:
deployment:
podTemplateSpec:
spec:
containers:
- image: kong/kong-gateway:3.13
name: proxy
---
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: kong-tls
spec:
controllerName: konghq.com/gateway-operator
parametersRef:
group: gateway-operator.konghq.com
kind: GatewayConfiguration
name: kong-gateway-configuration
namespace: kong
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: kong-tls-gateway
namespace: kong
spec:
gatewayClassName: kong-tls
listeners:
- name: http
port: 80
protocol: HTTP
- name: https
port: 443
protocol: HTTPS
hostname: demo.example.com
tls:
mode: Terminate
certificateRefs:
- group: ""
kind: Secret
name: my-certificate' | kubectl apply -f -
Copied!
Label the Secret
Kong Operator requires a specific label on Secrets to recognize them for use in gateways:
kubectl label secret my-certificate -n kong konghq.com/secret="true"
Copied!
For more information about how Kong Operator handles secrets, see the Secrets reference.
Create an echo Service
Run the following command to create a sample echo Service:
kubectl apply -f https://developer.konghq.com/manifests/kic/echo-service.yaml -n kong
Copied!
Create a Route
Deploy a sample HTTPRoute to verify that TLS termination is working:
echo '
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: echo-route
namespace: kong
spec:
parentRefs:
- name: kong-tls-gateway
hostnames:
- demo.example.com
rules:
- matches:
- path:
type: PathPrefix
value: /echo
backendRefs:
- name: echo
kind: Service
port: 1027' | kubectl apply -f -
Copied!
Validate
-
Check the status of the gateway to ensure the listeners are programmed:
kubectl get gateway kong-tls-gateway -n kong -o jsonpath='{.status.listeners}'Copied! -
Get the Gateway’s external IP:
export PROXY_IP=$(kubectl get gateway kong-gateway -n kong -o jsonpath='{.status.addresses[0].value}')Copied! -
Test the connection:
curl -ivk --resolve example.localdomain.dev:443:$PROXY_IP https://example.localdomain.dev/echoCopied!You should get TLS handshake and a 200 response.