{"id":1920,"date":"2024-02-22T08:21:43","date_gmt":"2024-02-22T08:21:43","guid":{"rendered":"https:\/\/imesh.ai\/blog\/?p=1920"},"modified":"2024-02-22T08:24:53","modified_gmt":"2024-02-22T08:24:53","slug":"secure-tls-kubernetes-gateway-api","status":"publish","type":"post","link":"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/","title":{"rendered":"TLS with Kubernetes Gateway API"},"content":{"rendered":"\n<p>In the previous blog, we looked into <a href=\"https:\/\/imesh.ai\/blog\/kubernetes-gateway-api-implementation\/\">Kubernetes Gateway API implementation<\/a>. We saw a demo on gradually shifting traffic from Ingress to Gateway API. Here, I will share a tutorial on securing the traffic in Gateway API using TLS.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Steps to implement TLS with Kubernetes Gateway API<\/h2>\n\n\n\n<p>I will follow the given steps for the demo:<br><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#step0\">Step #0: Demo overview and prerequisites<\/a><\/li>\n\n\n\n<li><a href=\"#step1\">Step #1: Deploy the application, cert-manager, and ClusterIssuer<\/a><\/li>\n\n\n\n<li><a href=\"#step2\">Step #2: Deploy the Gateway with HTTP and HTTPS listeners<\/a><\/li>\n\n\n\n<li><a href=\"#step3\">Step #3: Attach HTTPRoutes to the Gateway listeners<\/a><\/li>\n\n\n\n<li><a href=\"#step4\">Step #4: Access the Gateway<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading step0\" id=\"step0\">Step #0: Demo overview and prerequisites<\/h3>\n\n\n\n<p>To show TLS with <a href=\"https:\/\/imesh.ai\/blog\/kubernetes-gateway-api\/\">K8s Gateway API<\/a>, I will deploy a <em>Gateway<\/em> with 2 listeners: HTTP and HTTPS. Both listeners will have an <em>HTTPRoute<\/em> attached to it, which routes the traffic to the service as shown in the image below:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img fetchpriority=\"high\" decoding=\"async\" width=\"960\" height=\"540\" src=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/gateway-in-k8s-gateway-api-with-http-and-https-listeners.png\" alt=\"gateway in k8s gateway api with http and https listeners\" class=\"wp-image-1922\" style=\"aspect-ratio:1.7777777777777777;width:840px;height:auto\" srcset=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/gateway-in-k8s-gateway-api-with-http-and-https-listeners.png 960w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/gateway-in-k8s-gateway-api-with-http-and-https-listeners-300x169.png 300w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/gateway-in-k8s-gateway-api-with-http-and-https-listeners-768x432.png 768w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/gateway-in-k8s-gateway-api-with-http-and-https-listeners-400x225.png 400w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/gateway-in-k8s-gateway-api-with-http-and-https-listeners-800x450.png 800w\" sizes=\"(max-width: 960px) 100vw, 960px\" \/><\/figure>\n<\/div>\n\n\n<p><br>We will check if we can access the application through the secure HTTPS route.<\/p>\n\n\n\n<p>The prerequisites for the demo are the following:<br><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A controller to implement Kubernetes Gateway API. I have used <a href=\"https:\/\/imesh.ai\/blog\/kubernetes-nginx-ingress-vs-istio-ingress-gateway\/\">Istio Ingress<\/a> for the demo.<\/li>\n\n\n\n<li>At the time of writing this piece, the cert-manager needs to have the experimental gateway feature manually enabled for it to work with Gateway API. For that, add <em>&#8211;feature-gates=ExperimentalGatewayAPISupport=true<\/em> to the cert-manager-controller container args:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>```\ncontainers:\n  - name: cert-manager-controller\n    image: \"quay.io\/jetstack\/cert-manager-controller:v1.14.1\"\n    imagePullPolicy: IfNotPresent\n    args:\n      - --v=2\n      - --cluster-resource-namespace=$(POD_NAMESPACE)\n      - --leader-election-namespace=kube-system\n      - --acme-http01-solver-image=quay.io\/jetstack\/cert-manager-acmesolver:v1.14.1\n      - --max-concurrent-challenges=60\n      - --feature-gates=ExperimentalGatewayAPISupport=true ######### REQUIRED FOR CERTIFICATE TO WORK WITH K8S GATEWAY API\n\n```\n\n<\/code><\/pre>\n\n\n\n<p>I have already configured and uploaded the resources used for the demo to the <a href=\"https:\/\/github.com\/imesh-ai\/webinar\/tree\/main\/TLS%20with%20Kubernetes%20Gateway%20API\">IMESH GitHub repository<\/a>.<\/p>\n\n\n\n<p>If you are interested in watching the demo in action, here is the video:<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe title=\"Securing Traffic with TLS in Kubernetes Gateway API | Cert-manager | Demo\" width=\"1130\" height=\"636\" src=\"https:\/\/www.youtube.com\/embed\/N6bfR6wTN5I?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h3 class=\"wp-block-heading step1\" id=\"step1\">Step #1: Deploy the application, cert-manager, and ClusterIssuer<\/h3>\n\n\n\n<p>I\u2019m deploying a simple <em>echoserver <\/em>service (<a href=\"https:\/\/github.com\/imesh-ai\/webinar\/blob\/main\/TLS%20with%20Kubernetes%20Gateway%20API\/app\/application.yaml\">application.yaml<\/a>) to <em>tls-gw-api <\/em>namespace (<a href=\"https:\/\/github.com\/imesh-ai\/webinar\/blob\/main\/TLS%20with%20Kubernetes%20Gateway%20API\/app\/namespace.yaml\">namespace.yaml<\/a>):<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>kubectl apply -f app\/application.yaml<\/code><\/pre>\n\n\n\n<p>Now, let\u2019s deploy the cert-manager (<a href=\"https:\/\/github.com\/imesh-ai\/webinar\/blob\/main\/TLS%20with%20Kubernetes%20Gateway%20API\/certificate\/cert-manager.yaml\">cert-manager.yaml<\/a>) which has the Gateway feature enabled:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>kubectl apply -f certificate\/cert-manager.yaml<\/code><\/pre>\n\n\n\n<p>The cert-manager is up and running:<br><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"127\" src=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/cert-manager-deployment-status-1024x127.png\" alt=\"cert-manager deployment status\" class=\"wp-image-1923\" srcset=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/cert-manager-deployment-status-1024x127.png 1024w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/cert-manager-deployment-status-300x37.png 300w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/cert-manager-deployment-status-768x95.png 768w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/cert-manager-deployment-status-400x49.png 400w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/cert-manager-deployment-status-800x99.png 800w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/cert-manager-deployment-status-1160x143.png 1160w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/cert-manager-deployment-status.png 1262w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<p>Now, I\u2019m using the following <em>ClusterIssuer <\/em>(<a href=\"https:\/\/github.com\/imesh-ai\/webinar\/blob\/main\/TLS%20with%20Kubernetes%20Gateway%20API\/certificate\/ssl-prod-cluster-issuer.yaml\">ssl-prod-cluster-issuer.yaml<\/a>)<em> <\/em>for the prod cluster as the Certificate Authority (CA) to manage the certificates for any namespace in the cluster:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>apiVersion: cert-manager.io\/v1\nkind: ClusterIssuer\nmetadata:\n  name: prod-cluster-issuer\nspec:\n  acme:\n    server: https:\/\/acme-v02.api.letsencrypt.org\/directory\n    privateKeySecretRef:\n      name: prod-cluster-issuer\n    solvers:\n  \t- http01:\n          gatewayHTTPRoute:\n        \tparentRefs:\n          \t  - kind: Gateway\n                name: k8s-gateway\n                namespace: tls-gw-api<\/code><\/pre>\n\n\n\n<p>I\u2019m using the <a href=\"https:\/\/letsencrypt.org\/docs\/challenge-types\/#http-01-challenge\">HTTP-01 challenge<\/a> for the certificates to auto-renew in the cluster. The <em>gatewayHTTPRoute <\/em>field specifies the gateway where the HTTP challenge needs to be solved and certificates to be auto-renewed.<\/p>\n\n\n\n<p>Applying the issuer:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>kubectl apply -f certificate\/ssl-prod-cluster-issuer.yaml<\/code><\/pre>\n\n\n\n<p>You can check its deployment status by running the command:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>kubectl get clusterissuer<\/code><\/pre>\n\n\n\n<p>That sums up the configurations for the cert-manager. Now, let\u2019s look at the Kubernetes Gateway API CRDs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading step2\" id=\"step2\">Step #2: Deploy the Gateway CRD<\/h3>\n\n\n\n<p>Following is the configuration for the <em>Gateway <\/em>resource (<a href=\"https:\/\/github.com\/imesh-ai\/webinar\/blob\/main\/TLS%20with%20Kubernetes%20Gateway%20API\/gw-api\/k8s-gateway.yaml\">k8s-gateway.yaml<\/a>):<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>apiVersion: gateway.networking.k8s.io\/v1\nkind: Gateway\nmetadata:\n&nbsp; name: k8s-gateway\n&nbsp; namespace: tls-gw-api\n&nbsp; annotations:\n&nbsp; &nbsp; cert-manager.io\/cluster-issuer: prod-cluster-issuer\n&nbsp; &nbsp; # cert-manager.io\/cluster-issuer: staging-cluster-issuer\n&nbsp; &nbsp; service.beta.kubernetes.io\/port_80_no_probe_rule: \"true\" # FOR AZURE\n&nbsp; &nbsp; service.beta.kubernetes.io\/port_443_no_probe_rule: \"true\" # FOR AZURE\nspec:\n&nbsp; gatewayClassName: istio\n&nbsp; listeners:\n&nbsp; &nbsp; - name: http-listener\n&nbsp; hostname: \"*.imesh.ai\"\n&nbsp; port: 80\n&nbsp; protocol: HTTP\n&nbsp; allowedRoutes:\n&nbsp; &nbsp; &nbsp; namespaces:\n&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; from: All\n&nbsp; &nbsp; - name: https-listener\n&nbsp; hostname: test.imesh.ai\n&nbsp; port: 443\n&nbsp; protocol: HTTPS\n&nbsp; tls:\n&nbsp; &nbsp; &nbsp; mode: Terminate\n&nbsp; &nbsp; &nbsp; certificateRefs:\n&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; - name: \"test-imesh-cert\"\n&nbsp; allowedRoutes:\n&nbsp; &nbsp; &nbsp; namespaces:\n&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; from: All<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In the above file, <em>metadata <\/em>specifies the gateway (<em>k8s-gateway<\/em>) and the respective namespace (<em>tls-gw-api<\/em>).<\/li>\n\n\n\n<li>The annotation <em>cert-manager.io\/cluster-issuer: prod-cluster-issuer <\/em>specifies the <em>ClusterIssuer<\/em> configured in step #1. Make sure to change the issuer and annotation if you are using a namespace issuer (i.e., <em>Issuer <\/em>resource).<\/li>\n\n\n\n<li><em>gatewayClassName <\/em>shows the controller (Istio) used for implementing the Gateway API resources. Istio is already installed in the cluster.<\/li>\n\n\n\n<li><em>listeners <\/em>field lists <em>http-listener<\/em> and <em>https-listener<\/em> which use HTTP and HTTPS protocols, respectively. <em>http-listener <\/em>has the hostname <em>*.imesh.ai <\/em>while <em>https-listener <\/em>has <em>test.imesh.ai<\/em>.\n<ul class=\"wp-block-list\">\n<li>Note that an HTTP listener is mandatory even if you need only the HTTPS route or TLS. Without an HTTP listener, the certificate will not be able to solve the HTTP challenge since it happens in plain-text\/HTTP format. For better security, it is advisable to add all your application-level routes to the HTTPS listener and just have the HTTP listener for certificate renewal purposes.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><em>tls <\/em>field refers to the tls termination behavior (<em>termination<\/em>)<em> <\/em>and the certificates used by the Gateway. The certificate&#8217;s secret information is mentioned under <em>certificateRefs<\/em>.<\/li>\n<\/ul>\n\n\n\n<p>Applying the <em>Gateway<\/em>:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>kubectl apply -f gw-api\/k8s-gateway.yaml<\/code><\/pre>\n\n\n\n<p>The Gateway is running:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"61\" src=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/gateway-resource-deployment-status-1024x61.png\" alt=\"gateway resource deployment status\" class=\"wp-image-1924\" srcset=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/gateway-resource-deployment-status-1024x61.png 1024w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/gateway-resource-deployment-status-300x18.png 300w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/gateway-resource-deployment-status-768x46.png 768w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/gateway-resource-deployment-status-400x24.png 400w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/gateway-resource-deployment-status-800x48.png 800w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/gateway-resource-deployment-status-1160x70.png 1160w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/gateway-resource-deployment-status.png 1367w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<p>Now, let\u2019s create routes for the Gateway listeners to take the requests to the <em>echoserver<\/em> service.<\/p>\n\n\n\n<h3 class=\"wp-block-heading step3\" id=\"step3\">Step #3: Attach HTTPRoutes to HTTP and HTTPS listeners<\/h3>\n\n\n\n<p>I have created 2 <em>HTTPRoute <\/em>resources: <a href=\"https:\/\/github.com\/imesh-ai\/webinar\/blob\/main\/TLS%20with%20Kubernetes%20Gateway%20API\/gw-api\/insecure-http-route.yaml\"><em>insecure-http-route<\/em><\/a><em> <\/em>and <a href=\"https:\/\/github.com\/imesh-ai\/webinar\/blob\/main\/TLS%20with%20Kubernetes%20Gateway%20API\/gw-api\/secure-http-route.yaml\"><em>secure-http-route<\/em><\/a>. In both resources, the <em>sectionName<\/em> field refers to the respective listener in the Gateway to which the route gets attached.<\/p>\n\n\n\n<p>In the <em>insecure-http-route <\/em>resource, the <em>sectionName <\/em>is <em>http-listener<\/em> which means that the <em>HTTPRoute <\/em>gets attached to the HTTP listener in the Gateway:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>apiVersion: gateway.networking.k8s.io\/v1\nkind: HTTPRoute\nmetadata:\n&nbsp; name: insecure-http-route\n&nbsp; namespace: tls-gw-api\nspec:\n&nbsp; parentRefs:\n&nbsp; &nbsp; - kind: Gateway\n&nbsp; name: k8s-gateway\n&nbsp; sectionName: http-listener\n```&nbsp;<\/code><\/pre>\n\n\n\n<p>Similarly, <em>secure-http-route <\/em>attaches to the <em>https-listener <\/em>in the Gateway.<\/p>\n\n\n\n<p>I have also added filter chains to inject request and response headers to identify whether the request comes from secure or insecure routes. The below configuration is from <em>secure-http-route<\/em>,<em> <\/em>and it injects <em>HTTPS-Secure <\/em>header:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>```&nbsp;filters:\n&nbsp; - type: ResponseHeaderModifier\n&nbsp; &nbsp; responseHeaderModifier:\n&nbsp; &nbsp; &nbsp; add:\n&nbsp; &nbsp; &nbsp; &nbsp; - name: PROTOCOL\n&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; value: HTTPS-Secure\n&nbsp; - type: RequestHeaderModifier\n&nbsp; &nbsp; requestHeaderModifier:\n&nbsp; &nbsp; &nbsp; add:\n&nbsp; &nbsp; &nbsp; &nbsp; - name: PROTOCOL\n&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; value: HTTPS-Secure\n```<\/code><\/pre>\n\n\n\n<p>Similarly, <em>insecure-http-route <\/em>injects <em>HTTP-Insecure<\/em> value to the header.<\/p>\n\n\n\n<p>Both the <em>HTTPRoute <\/em>resources route traffic from the Gateway to <em>echoserver <\/em>service in port 80.<\/p>\n\n\n\n<p>Let us apply the routes:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>kubectl apply -f gw-api\/insecure-http-route.yaml\nkubectl apply -f gw-api\/secure-http-route.yaml<\/code><\/pre>\n\n\n\n<p>You can verify the routes attached to the Gateway listeners by describing the Gateway:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>kubectl describe gateway k8s-gateway -n tls-gw-api&nbsp;<\/code><\/pre>\n\n\n\n<p>We can also check if the certificate is generated:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>kubectl get certificate -n tls-gw-api<\/code><\/pre>\n\n\n\n<p>Now, let us verify if we can access the application from the browser through both HTTP and HTTPS routes.<\/p>\n\n\n\n<h3 class=\"wp-block-heading step4\" id=\"step4\">Step #4: Access the Gateway<\/h3>\n\n\n\n<p>Let us try the insecure, HTTP route by typing in <em>http:\/\/test.imesh.ai <\/em>in the browser:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"544\" src=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/accessing-the-application-through-insecure-http-route-1024x544.png\" alt=\"accessing the application through insecure http route\" class=\"wp-image-1926\" srcset=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/accessing-the-application-through-insecure-http-route-1024x544.png 1024w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/accessing-the-application-through-insecure-http-route-300x159.png 300w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/accessing-the-application-through-insecure-http-route-768x408.png 768w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/accessing-the-application-through-insecure-http-route-400x213.png 400w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/accessing-the-application-through-insecure-http-route-800x425.png 800w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/accessing-the-application-through-insecure-http-route-1160x617.png 1160w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/accessing-the-application-through-insecure-http-route.png 1407w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<p>You can see the <em>protocol=HTTP-Insecure <\/em>in the request headers, which means that it is coming from the insecure HTTP route.<\/p>\n\n\n\n<p>If I try <em>https:\/\/test.imesh.ai<\/em>, you can see that the <em>protocol <\/em>value is <em>HTTPS-Secure<\/em>, meaning the request comes from the secure HTTP route.<br><em>&nbsp;<\/em><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"763\" src=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/accessing-the-application-through-the-secure-http-TLS-route-1024x763.png\" alt=\"accessing the application through the secure http TLS route\" class=\"wp-image-1927\" srcset=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/accessing-the-application-through-the-secure-http-TLS-route-1024x763.png 1024w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/accessing-the-application-through-the-secure-http-TLS-route-300x224.png 300w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/accessing-the-application-through-the-secure-http-TLS-route-768x573.png 768w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/accessing-the-application-through-the-secure-http-TLS-route-400x298.png 400w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/accessing-the-application-through-the-secure-http-TLS-route-800x596.png 800w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/accessing-the-application-through-the-secure-http-TLS-route-1160x865.png 1160w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/accessing-the-application-through-the-secure-http-TLS-route.png 1222w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<p>You can also view the certificate issued for the connection:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"808\" height=\"837\" src=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/certificate-details.png\" alt=\"certificate details\" class=\"wp-image-1928\" srcset=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/certificate-details.png 808w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/certificate-details-290x300.png 290w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/certificate-details-768x796.png 768w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/certificate-details-400x414.png 400w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/certificate-details-800x829.png 800w\" sizes=\"(max-width: 808px) 100vw, 808px\" \/><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\">IMESH Enterprise Gateway API support<\/h2>\n\n\n\n<p>The TLS setup with Gateway API that we saw above is a simple one. In real-life production clusters, DevOps and architects deal with multiple certificates used for different domains. Managing certificates and their auto-renewal can quickly become complicated in those scenarios. IMESH provides support for Gateway API challenges, and you can <a href=\"mailto:contact@imesh.ai\">contact us<\/a> anytime if you need help.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the previous blog, we looked into Kubernetes Gateway API implementation. We<span class=\"excerpt-more\"><\/span><\/p>\n","protected":false},"author":9,"featured_media":1931,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[121,36],"tags":[120,69],"class_list":["post-1920","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kubernetes-gateway-api","category-security","tag-kubernetes-gateway-api","tag-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>TLS with Kubernetes Gateway API<\/title>\n<meta name=\"description\" content=\"The tutorial shares steps on how to secure traffic with TLS in Kubernetes Gateway API.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"TLS with Kubernetes Gateway API\" \/>\n<meta property=\"og:description\" content=\"The tutorial shares steps on how to secure traffic with TLS in Kubernetes Gateway API.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/\" \/>\n<meta property=\"og:site_name\" content=\"IMESH\" \/>\n<meta property=\"article:published_time\" content=\"2024-02-22T08:21:43+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-02-22T08:24:53+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/TLS-with-Kubernetes-Gateway-API.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"576\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Md Azmal\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Md Azmal\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/\"},\"author\":{\"name\":\"Md Azmal\",\"@id\":\"https:\/\/imesh.ai\/blog\/#\/schema\/person\/fdb37d3095697308d103c83ffdf37f10\"},\"headline\":\"TLS with Kubernetes Gateway API\",\"datePublished\":\"2024-02-22T08:21:43+00:00\",\"dateModified\":\"2024-02-22T08:24:53+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/\"},\"wordCount\":917,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/imesh.ai\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/TLS-with-Kubernetes-Gateway-API.png\",\"keywords\":[\"Kubernetes Gateway API\",\"security\"],\"articleSection\":[\"Kubernetes Gateway API\",\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/\",\"url\":\"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/\",\"name\":\"TLS with Kubernetes Gateway API\",\"isPartOf\":{\"@id\":\"https:\/\/imesh.ai\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/TLS-with-Kubernetes-Gateway-API.png\",\"datePublished\":\"2024-02-22T08:21:43+00:00\",\"dateModified\":\"2024-02-22T08:24:53+00:00\",\"description\":\"The tutorial shares steps on how to secure traffic with TLS in Kubernetes Gateway API.\",\"breadcrumb\":{\"@id\":\"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/#primaryimage\",\"url\":\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/TLS-with-Kubernetes-Gateway-API.png\",\"contentUrl\":\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/TLS-with-Kubernetes-Gateway-API.png\",\"width\":1024,\"height\":576,\"caption\":\"TLS with Kubernetes Gateway API\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/imesh.ai\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"TLS with Kubernetes Gateway API\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/imesh.ai\/blog\/#website\",\"url\":\"https:\/\/imesh.ai\/blog\/\",\"name\":\"IMESH Blog\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/imesh.ai\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/imesh.ai\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/imesh.ai\/blog\/#organization\",\"name\":\"IMESH\",\"url\":\"https:\/\/imesh.ai\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/imesh.ai\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/IMESH-LOGO-scaled.jpg\",\"contentUrl\":\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/IMESH-LOGO-scaled.jpg\",\"width\":2560,\"height\":1665,\"caption\":\"IMESH\"},\"image\":{\"@id\":\"https:\/\/imesh.ai\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/imeshai\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/imesh.ai\/blog\/#\/schema\/person\/fdb37d3095697308d103c83ffdf37f10\",\"name\":\"Md Azmal\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/imesh.ai\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/1563300189291-150x150.jpg\",\"contentUrl\":\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/1563300189291-150x150.jpg\",\"caption\":\"Md Azmal\"},\"description\":\"Azmal is one of the founding engineers at IMESH, who focuses on boosting enterprise performance and security using Istio and Envoy. He's a versatile full-stack developer skilled in building scalable and performant applications in the cloud. Azmal's interest in cybersecurity and networking has led him to work on various research projects in network security.\",\"sameAs\":[\"https:\/\/imesh.ai\",\"https:\/\/www.linkedin.com\/in\/md-azmal-570308160\"],\"url\":\"https:\/\/imesh.ai\/blog\/author\/azmal-mdimesh-ai\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"TLS with Kubernetes Gateway API","description":"The tutorial shares steps on how to secure traffic with TLS in Kubernetes Gateway API.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/","og_locale":"en_US","og_type":"article","og_title":"TLS with Kubernetes Gateway API","og_description":"The tutorial shares steps on how to secure traffic with TLS in Kubernetes Gateway API.","og_url":"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/","og_site_name":"IMESH","article_published_time":"2024-02-22T08:21:43+00:00","article_modified_time":"2024-02-22T08:24:53+00:00","og_image":[{"width":1024,"height":576,"url":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/TLS-with-Kubernetes-Gateway-API.png","type":"image\/png"}],"author":"Md Azmal","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Md Azmal","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/#article","isPartOf":{"@id":"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/"},"author":{"name":"Md Azmal","@id":"https:\/\/imesh.ai\/blog\/#\/schema\/person\/fdb37d3095697308d103c83ffdf37f10"},"headline":"TLS with Kubernetes Gateway API","datePublished":"2024-02-22T08:21:43+00:00","dateModified":"2024-02-22T08:24:53+00:00","mainEntityOfPage":{"@id":"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/"},"wordCount":917,"commentCount":0,"publisher":{"@id":"https:\/\/imesh.ai\/blog\/#organization"},"image":{"@id":"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/#primaryimage"},"thumbnailUrl":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/TLS-with-Kubernetes-Gateway-API.png","keywords":["Kubernetes Gateway API","security"],"articleSection":["Kubernetes Gateway API","Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/","url":"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/","name":"TLS with Kubernetes Gateway API","isPartOf":{"@id":"https:\/\/imesh.ai\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/#primaryimage"},"image":{"@id":"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/#primaryimage"},"thumbnailUrl":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/TLS-with-Kubernetes-Gateway-API.png","datePublished":"2024-02-22T08:21:43+00:00","dateModified":"2024-02-22T08:24:53+00:00","description":"The tutorial shares steps on how to secure traffic with TLS in Kubernetes Gateway API.","breadcrumb":{"@id":"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/#primaryimage","url":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/TLS-with-Kubernetes-Gateway-API.png","contentUrl":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/TLS-with-Kubernetes-Gateway-API.png","width":1024,"height":576,"caption":"TLS with Kubernetes Gateway API"},{"@type":"BreadcrumbList","@id":"https:\/\/imesh.ai\/blog\/secure-tls-kubernetes-gateway-api\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/imesh.ai\/blog\/"},{"@type":"ListItem","position":2,"name":"TLS with Kubernetes Gateway API"}]},{"@type":"WebSite","@id":"https:\/\/imesh.ai\/blog\/#website","url":"https:\/\/imesh.ai\/blog\/","name":"IMESH Blog","description":"","publisher":{"@id":"https:\/\/imesh.ai\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/imesh.ai\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/imesh.ai\/blog\/#organization","name":"IMESH","url":"https:\/\/imesh.ai\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/imesh.ai\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/IMESH-LOGO-scaled.jpg","contentUrl":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/IMESH-LOGO-scaled.jpg","width":2560,"height":1665,"caption":"IMESH"},"image":{"@id":"https:\/\/imesh.ai\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/company\/imeshai"]},{"@type":"Person","@id":"https:\/\/imesh.ai\/blog\/#\/schema\/person\/fdb37d3095697308d103c83ffdf37f10","name":"Md Azmal","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/imesh.ai\/blog\/#\/schema\/person\/image\/","url":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/1563300189291-150x150.jpg","contentUrl":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/1563300189291-150x150.jpg","caption":"Md Azmal"},"description":"Azmal is one of the founding engineers at IMESH, who focuses on boosting enterprise performance and security using Istio and Envoy. He's a versatile full-stack developer skilled in building scalable and performant applications in the cloud. Azmal's interest in cybersecurity and networking has led him to work on various research projects in network security.","sameAs":["https:\/\/imesh.ai","https:\/\/www.linkedin.com\/in\/md-azmal-570308160"],"url":"https:\/\/imesh.ai\/blog\/author\/azmal-mdimesh-ai\/"}]}},"jetpack_featured_media_url":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/02\/TLS-with-Kubernetes-Gateway-API.png","_links":{"self":[{"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/posts\/1920","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/comments?post=1920"}],"version-history":[{"count":4,"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/posts\/1920\/revisions"}],"predecessor-version":[{"id":1932,"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/posts\/1920\/revisions\/1932"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/media\/1931"}],"wp:attachment":[{"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/media?parent=1920"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/categories?post=1920"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/tags?post=1920"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}