Skip to content

Add guide for TLS Route in site #2363

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Aug 16, 2024
Merged

Add guide for TLS Route in site #2363

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
80412d6
Add guide for TLS Route in site
sarthyparty Aug 9, 2024
b7f5e6d
rename file
Aug 13, 2024
4e07628
Correct docs number
Aug 13, 2024
5b0a4d3
Doc fixes
Aug 13, 2024
ef18ddf
Add more detail to guide and update compatibility doc
Aug 14, 2024
b4689f8
code review
Aug 15, 2024
12d01d1
Update site/content/how-to/traffic-management/tls-passthrough.md
kate-osborn Aug 15, 2024
e80d292
Update site/content/how-to/traffic-management/tls-passthrough.md
kate-osborn Aug 15, 2024
6d5a622
Merge branch 'main' into chore/update-site-for-tls-route
ADubhlaoich Aug 16, 2024
3ac39b2
Merge branch 'main' into chore/update-site-for-tls-route
kate-osborn Aug 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
231 changes: 231 additions & 0 deletions site/content/how-to/traffic-management/tls-passthrough.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,231 @@
---
title: "TLS Passthrough"
weight: 800
toc: true
docs: "DOCS-000"
---

Learn how to use TLSRoutes to configure TLS Passthrough load-balancing with NGINX Gateway Fabric.

## Overview

In this guide, we will show how to configure TLS passthrough for your application, using a [TLSRoute](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.TLSRoute).

## Before you begin

- [Install]({{< relref "installation/" >}}) NGINX Gateway Fabric.
- Save the public IP address and port of NGINX Gateway Fabric into shell variables:

```text
GW_IP=XXX.YYY.ZZZ.III
GW_TLS_PORT=<port number>
```

{{< note >}}In a production environment, you should have a DNS record for the external IP address that is exposed, and it should refer to the hostname that the Gateway will forward for.{{< /note >}}

## Set up

Create the `secure-app` application by copying and pasting the following block into your terminal:

```yaml
kubectl apply -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: secure-app
spec:
replicas: 1
selector:
matchLabels:
app: secure-app
template:
metadata:
labels:
app: secure-app
spec:
containers:
- name: secure-app
image: nginxdemos/nginx-hello:plain-text
ports:
- containerPort: 8443
volumeMounts:
- name: secret
mountPath: /etc/nginx/ssl
readOnly: true
- name: config-volume
mountPath: /etc/nginx/conf.d
volumes:
- name: secret
secret:
secretName: app-tls-secret
- name: config-volume
configMap:
name: secure-config
---
apiVersion: v1
kind: Service
metadata:
name: secure-app
spec:
ports:
- port: 8443
targetPort: 8443
protocol: TCP
name: https
selector:
app: secure-app
---
apiVersion: v1
kind: ConfigMap
metadata:
name: secure-config
data:
app.conf: |-
server {
listen 8443 ssl;
listen [::]:8443 ssl;

server_name app.example.com;

ssl_certificate /etc/nginx/ssl/tls.crt;
ssl_certificate_key /etc/nginx/ssl/tls.key;

default_type text/plain;

location / {
return 200 "hello from pod \$hostname\n";
}
}
---
apiVersion: v1
kind: Secret
metadata:
name: app-tls-secret
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ3Q0NRQ3EzQWxhdnJiaWpqQU5CZ2txaGtpRzl3MEJBUXNGQURCTU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVZMmx6WTI4eEdEQVdCZ05WQkFNTQpEMkZ3Y0M1bGVHRnRjR3hsTG1OdmJUQWVGdzB5TURBek1qTXlNekl3TkROYUZ3MHlNekF6TWpNeU16SXdORE5hCk1Fd3hDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJREFKRFFURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeVlXNWoKYVhOamJ6RVlNQllHQTFVRUF3d1BZWEJ3TG1WNFlXMXdiR1V1WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQTJCRXhZR1JPRkhoN2VPMVlxeCtWRHMzRzMrVEhyTEZULzdEUFFEQlkza3pDCi9oZlprWCt3OW1NNkQ1RU9uK2lpVlNhUWlQMm1aNFA3N29pR0dmd3JrNjJ0eEQ5cHphODM5NC9aSjF5Q0dXZ1QKK2NWUEVZbkxjQktzSTRMcktJZ21oWVIwUjNzWWRjR1JkSXJWUFZlNUVUQlk1Z1U0RGhhMDZOUEIraitmK0krWgphWGIvMlRBekJhNHozMWpIQzg2amVQeTFMdklGazFiY3I2cSsxRGR5eklxcWxkRDYvU3Q4Q2t3cDlOaDFCUGFhCktZZ1ZVd010UVBib2s1cFFmbVMrdDg4NHdSM0dTTEU4VkxRbzgyYnJhNUR3emhIamlzOTlJRGhzbUt0U3lWOXMKaWNJbXp5dHBnSXlhTS9zWEhRQU9KbVFJblFteWgyekd1WFhTQ0lkRGtRSURBUUFCTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0tsVkhOZ1k5VHZLaW9Xb0tvdllCdnNRMmYrcmFOOEJwdWNDcnRvRm15NUczcGIzU2lPTndaCkF2cnhtSm4vR3lsa3JKTHBpQVA1eUNBNGI2Y2lYMnRGa3pQRmhJVFZKRTVBeDlpaEF2WWZwTUFSdWVqM29HN2UKd0xwQk1iUnlGbHJYV29NWUVBMGxsV0JueHRQQXZYS2Y4SVZGYTRSSDhzV1JJSDB4M2hFdjVtQ3VUZjJTRTg0QwpiNnNjS3Z3MW9CQU5VWGxXRVZVYTFmei9rWWZBa1lrdHZyV2JUcTZTWGxodXRJYWY4WEYzSUMrL2x1b3gzZThMCjBBcEFQVE5sZ0JwOTkvcXMrOG9PMWthSmQ1TmV6TnlJeXhSdUtJMzlDWkxuQm9OYmkzdlFYY1NzRCtYU2lYT0cKcEVnTjNtci8xRms4OVZMSENhTnkyKzBqMjZ0eWpiclcKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRFlFVEZnWkU0VWVIdDQKN1Zpckg1VU96Y2JmNU1lc3NWUC9zTTlBTUZqZVRNTCtGOW1SZjdEMll6b1BrUTZmNktKVkpwQ0kvYVpuZy92dQppSVlaL0N1VHJhM0VQMm5OcnpmM2o5a25YSUlaYUJQNXhVOFJpY3R3RXF3amd1c29pQ2FGaEhSSGV4aDF3WkYwCml0VTlWN2tSTUZqbUJUZ09GclRvMDhINlA1LzRqNWxwZHYvWk1ETUZyalBmV01jTHpxTjQvTFV1OGdXVFZ0eXYKcXI3VU4zTE1pcXFWMFByOUszd0tUQ24wMkhVRTlwb3BpQlZUQXkxQTl1aVRtbEIrWkw2M3p6akJIY1pJc1R4VQp0Q2p6WnV0cmtQRE9FZU9LejMwZ09HeVlxMUxKWDJ5SndpYlBLMm1Bakpveit4Y2RBQTRtWkFpZENiS0hiTWE1CmRkSUloME9SQWdNQkFBRUNnZ0VCQUxYaW16ODZrT1A0bkhBcTFPYVEyb2l3dndhQTczbTNlUytZSm84eFk4NFcKcmxyNXRzUWR5dGxPcEhTd05yQjBSQnNNTU1XeFNPQ0JJWlltUlVVZ200cGd2Uk9rRWl2OG9VOThQMkE4SnFTKwprWHBFRjVCNi84K2pXRmM0Z1Q4SWhlMEZtR0VJQllvelhYL08wejBsV0h4WXg2MHluWUoycU9vS1FKT3A5YjlsCmpiUVBkaC9mN2ErRWF0RzZNUFlrNG5xSEY3a0FzcmNsRXo2SGUvaEx6NmRkSTJ1N2RMRjB6QlN0QjM5WDFRZysKZ1JzTittOXg1S1FVTXYxMktvajdLc2hEelozOG5hSjd5bDgycGhBV1lGZzBOZHlzRlBRbmt0WmlNSUxOblFjNwpOeUt0cHNQaUxIRE9ha05hdEZLU2lOaUJrUk1lY1ZUMlJNMzMzUG54bFVFQ2dZRUEvYTY5MEEralU4VFJNbVZyCk4vRnlYWkxYa1c5b2NxVjBRbTA0TDMrSExybFNCTlRWSzk2U1pVT203VjViTzIxNmd4S2dJK3IwYm5kdE5GTUQKLzFncDhsdlJNcUlIeGZTeUo4SHpsSzViT0lnaUpxRGhzK3BKWTZmLytIVzZ1QkZyN3NGS3lxbVlIQlA0SC9BdApsT3lLeEVjMHFXazFlT2tCMWNNSGx0WDRwemtDZ1lFQTJncDhDVDVYWjNMSWRQN2M1SHpDS1YwczBYS1hGNmYyCkxzclhPVlZaTmJCN1NIS1NsOTBIU2VWVGx3czdqSnNxcC9yWFY2aHF0eUdEaTg4aTFZekthcEF6dXl3b0U3TnEKMUJpd2ZYSURQeTlPNUdGNXFYNXFUeENzSWNIcmo2Z21XMEZVQWhoS1lQcDRxd1JMdzFMZkJsd3U1VmhuN3I3ego0SkZBTEFpdlp4a0NnWUJicnpuKzVvZjdFSmtqQTdDYWlYTHlDczVLUzkrTi8rcGl6NktNMkNSOWFKRVNHZkhwClp3bTErNXRyRXIwYVgxajE0bGRxWTlKdjBrM3ZxVWs2a2h5bThUUk1mbThjeG5GVkdTMzF3SVpMaWpmOWlndkkKd0paQnBFaEkvaE83enVBWmJGYWhwR1hMVUJSUFJyalNxQ01IQ1UwcEpWTWtIZUtCNVhqcXRPNm5VUUtCZ0NJUAp6VHlzYm44TW9XQVZpSEJ4Uk91dFVKa1BxNmJZYUU3N0JSQkIwd1BlSkFRM1VjdERqaVh2RzFYWFBXQkR4VEFrCnNZdFNGZ214eEprTXJNWnJqaHVEbDNFLy9xckZOb1VYcmtxS2l4Tk4wcWMreXdDOWJPSVpHcXJUWG5jOHIzRkcKRFZlZWI5QWlrTU0ya3BkYTFOaHJnaS8xMVphb1lmVE0vQmRrNi9IUkFvR0JBSnFzTmFZYzE2clVzYzAzUEwybApXUGNzRnZxZGI3SEJyakVSRkhFdzQ0Vkt2MVlxK0ZWYnNNN1FTQVZ1V1llcGxGQUpDYzcrSEt1YjRsa1hRM1RkCndSajJLK2pOUzJtUXp1Y2hOQnlBZ1hXVnYveHhMZEE3NnpuWmJYdjl5cXhnTVVjTVZwZGRuSkxVZm9QVVZ1dTcKS0tlVVU3TTNIblRKUStrcldtbUxraUlSCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
EOF
```

This will create the **secure-app** Service and a Deployment. The secure app is configured to serve HTTPS traffic on port 8443 for the host app.example.com. For TLS termination, a self-signed TLS certificate, with the common name `app.example.com`, and key are used. The app responds to clients HTTPS requests with a simple text response "hello from pod $POD_HOSTNAME".

Run the following command to verify the resources were created:

```shell
kubectl get pods,svc
```

The output should include the **secure-app** pod and the **secure-app** Service:

```text
NAME READY STATUS RESTARTS AGE
pod/secure-app-575785644-kzqf6 1/1 Running 0 12s

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/secure-app ClusterIP 192.168.194.152 <none> 8443/TCP 12s
```

Create a Gateway. This will create a TLS listener with the hostname `*.example.com` and passthrough TLS mode. Copy and paste this into your terminal.

```yaml
kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
name: gateway
namespace: default
spec:
gatewayClassName: nginx
listeners:
- name: tls
port: 443
protocol: TLS
hostname: "*.example.com"
allowedRoutes:
namespaces:
from: All
kinds:
- kind: TLSRoute
tls:
mode: Passthrough
EOF
```

This Gateway will configure NGINX Gateway Fabric to accept TLS connections on port 443 and route them to the corresponding backend Services without decryption. The routing is done based on the SNI, which allows clients to specify a server name (like example.com) during the SSL handshake.

{{< note >}} It is possible to add an HTTPS listener on the same port that terminates TLS connections so long as the hostname does not overlap with the TLS listener hostname. {{< /note >}}

Create a TLSRoute that attaches to the Gateway and routes requests to `app.example.com` to the `secure-app` Service:

```yaml
kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
name: tls-secure-app-route
namespace: default
spec:
parentRefs:
- name: gateway
namespace: default
hostnames:
- "app.example.com"
rules:
- backendRefs:
- name: secure-app
port: 8443
EOF
```

{{< note >}}To route to a Service in a Namespace different from the TLSRoute Namespace, create a [ReferenceGrant](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1beta1.ReferenceGrant) to permit the cross-namespace reference. {{< /note >}}

## Send traffic

Using the external IP address and port for NGINX Gateway Fabric, send traffic to the `secure-app` application.

{{< note >}}If you have a DNS record allocated for `app.example.com`, you can send the request directly to that hostname, without needing to resolve.{{< /note >}}

Send a request to the `secure-app` Service on the TLS port with the `--insecure` flag. The `--insecure` flag is required because the `secure-app` is using self-signed certificates.

```shell
curl --resolve app.example.com:$GW_TLS_PORT:$GW_IP https://app.example.com:$GW_TLS_PORT --insecure -v
```

```text
Added app.example.com:8443:127.0.0.1 to DNS cache
* Hostname app.example.com was found in DNS cache
* Trying 127.0.0.1:8443...
* Connected to app.example.com (127.0.0.1) port 8443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 / [blank] / UNDEF
* ALPN: server accepted http/1.1
* Server certificate:
* subject: C=US; ST=CA; L=San Francisco; CN=app.example.com
* start date: Mar 23 23:20:43 2020 GMT
* expire date: Mar 23 23:20:43 2023 GMT
* issuer: C=US; ST=CA; L=San Francisco; CN=app.example.com
* SSL certificate verify result: self signed certificate (18), continuing anyway.
* using HTTP/1.x
> GET / HTTP/1.1
> Host: app.example.com:8443
> User-Agent: curl/8.6.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.27.0
< Date: Wed, 14 Aug 2024 20:41:21 GMT
< Content-Type: text/plain
< Content-Length: 43
< Connection: keep-alive
<
hello from pod secure-app-575785644-kzqf6
```

Note that the server certificate used to terminate the TLS connection has the subject common name of `app.example.com`. This is the server certificate that the `secure-app` is configured with and shows that the TLS connection was terminated by the `secure-app`, not NGINX Gateway Fabric.
58 changes: 44 additions & 14 deletions site/content/overview/gateway-api-compatibility.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,18 +10,18 @@ Learn which Gateway API resources NGINX Gateway Fabric supports and to which lev
## Summary

{{< bootstrap-table "table table-striped table-bordered" >}}
| Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version |
| ------------------------------------- | ------------------- | ---------------------- | ------------------------------------- | ----------- |
| [GatewayClass](#gatewayclass) | Supported | Not supported | Supported | v1 |
| [Gateway](#gateway) | Supported | Partially supported | Not supported | v1 |
| [HTTPRoute](#httproute) | Supported | Partially supported | Not supported | v1 |
| [ReferenceGrant](#referencegrant) | Supported | N/A | Not supported | v1beta1 |
| [GRPCRoute](#grpcroute) | Supported | Partially supported | Not supported | v1 |
| [TLSRoute](#tlsroute) | Not supported | Not supported | Not supported | N/A |
| [TCPRoute](#tcproute) | Not supported | Not supported | Not supported | N/A |
| [UDPRoute](#udproute) | Not supported | Not supported | Not supported | N/A |
| [BackendTLSPolicy](#backendtlspolicy) | Supported | Supported | Not supported | v1alpha3 |
| [Custom policies](#custom-policies) | N/A | N/A | Supported | N/A |
| Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version |
|---------------------------------------|--------------------|------------------------|---------------------------------------|-------------|
| [GatewayClass](#gatewayclass) | Supported | Not supported | Supported | v1 |
| [Gateway](#gateway) | Supported | Partially supported | Not supported | v1 |
| [HTTPRoute](#httproute) | Supported | Partially supported | Not supported | v1 |
| [ReferenceGrant](#referencegrant) | Supported | N/A | Not supported | v1beta1 |
| [GRPCRoute](#grpcroute) | Supported | Partially supported | Not supported | v1 |
| [TLSRoute](#tlsroute) | Supported | Not supported | Not supported | v1alpha2 |
| [TCPRoute](#tcproute) | Not supported | Not supported | Not supported | N/A |
| [UDPRoute](#udproute) | Not supported | Not supported | Not supported | N/A |
| [BackendTLSPolicy](#backendtlspolicy) | Supported | Supported | Not supported | v1alpha3 |
| [Custom policies](#custom-policies) | N/A | N/A | Supported | N/A |
{{< /bootstrap-table >}}

---
Expand Down Expand Up @@ -123,6 +123,7 @@ See the [static-mode]({{< relref "/reference/cli-help.md#static-mode">}}) comman
- `Accepted/False/UnsupportedProtocol`
- `Accepted/False/InvalidCertificateRef`
- `Accepted/False/ProtocolConflict`
- `Accpeted/False/HostnameConflict`
- `Accepted/False/UnsupportedValue`: Custom reason for when a value of a field in a Listener is invalid or not supported.
- `Accepted/False/GatewayConflict`: Custom reason for when the Gateway is ignored due to a conflicting Gateway. NGINX Gateway Fabric only supports a single Gateway.
- `Programmed/True/Programmed`
Expand All @@ -131,6 +132,7 @@ See the [static-mode]({{< relref "/reference/cli-help.md#static-mode">}}) comman
- `ResolvedRefs/False/InvalidCertificateRef`
- `ResolvedRefs/False/InvalidRouteKinds`
- `Conflicted/True/ProtocolConflict`
- `Conflicted/True/HostnameConflict`
- `Conflicted/False/NoConflicts`

---
Expand Down Expand Up @@ -255,10 +257,38 @@ Fields:

{{< bootstrap-table "table table-striped table-bordered" >}}
| Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version |
| -------- | ------------------ | ---------------------- | ------------------------------------- | ----------- |
| TLSRoute | Not supported | Not supported | Not supported | N/A |
|----------|--------------------|------------------------|---------------------------------------|-------------|
| TLSRoute | Supported | Not supported | Not supported | v1alpha2 |
{{< /bootstrap-table >}}

**Fields**:

- `spec`
- `parentRefs`: Partially supported. Port not supported.
- `hostnames`: Supported.
- `rules`
- `backendRefs`: Partially supported. Only one backend ref allowed.
- `weight`: Not supported.
- `status`
- `parents`
- `parentRef`: Supported.
- `controllerName`: Supported.
- `conditions`: Supported (Condition/Status/Reason):
- `Accepted/True/Accepted`
- `Accepted/False/NoMatchingListenerHostname`
- `Accepted/False/NoMatchingParent`
- `Accepted/False/NotAllowedByListeners`
- `Accepted/False/UnsupportedValue`: Custom reason for when the TLSRoute includes an invalid or unsupported value.
- `Accepted/False/InvalidListener`: Custom reason for when the TLSRoute references an invalid listener.
- `Accepted/False/GatewayNotProgrammed`: Custom reason for when the Gateway is not Programmed. TLSRoute can be valid and configured, but will maintain this status as long as the Gateway is not Programmed.
- `Accepted/False/HostnameConflict`: Custom reason for when the TLSRoute has a hostname that conflicts with another TLSRoute on the same port.
- `ResolvedRefs/True/ResolvedRefs`
- `ResolvedRefs/False/InvalidKind`
- `ResolvedRefs/False/RefNotPermitted`
- `ResolvedRefs/False/BackendNotFound`
- `ResolvedRefs/False/UnsupportedValue`: Custom reason for when one of the TLSRoute rules has a backendRef with an unsupported value.
- `PartiallyInvalid/True/UnsupportedValue`

---

### TCPRoute
Expand Down
2 changes: 1 addition & 1 deletion site/go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@ module github.com/nginxinc/nginx-gateway-fabric/site

go 1.21

require github.com/nginxinc/nginx-hugo-theme v0.41.0 // indirect
require github.com/nginxinc/nginx-hugo-theme v0.41.1 // indirect
2 changes: 2 additions & 0 deletions site/go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,4 @@
github.com/nginxinc/nginx-hugo-theme v0.41.0 h1:uB9jC0Qk9i2CG63gScHxVHAEz1zyGoAdtY0Lcpkg1lI=
github.com/nginxinc/nginx-hugo-theme v0.41.0/go.mod h1:DPNgSS5QYxkjH/BfH4uPDiTfODqWJ50NKZdorguom8M=
github.com/nginxinc/nginx-hugo-theme v0.41.1 h1:Wan0Mb8uz1X4Z2vd/1nR0GOPel5mWVPuFD3jd4SezsU=
github.com/nginxinc/nginx-hugo-theme v0.41.1/go.mod h1:DPNgSS5QYxkjH/BfH4uPDiTfODqWJ50NKZdorguom8M=
Loading