Tutorial: Add Tls To Nginx Gateway Fabric

In nan previous tutorial, we deployed Nginx Gateway Fabric and configured HTTP routing to expose soul services done nan Kubernetes Gateway API. While functional for development, accumulation deployments require TLS encryption to unafraid postulation betwixt clients and nan gateway.

This tutorial extends our existing setup by adding TLS termination astatine nan gateway and implementing automatic HTTP to HTTPS redirection. By nan end, you’ll person a production-ready configuration that encrypts each customer traffic.

Prerequisites

This tutorial assumes you person completed Part 1 and person nan pursuing resources running:

• Nginx Gateway Fabric deployed successful nan nginx-gateway namespace.
• A Gateway assets named demo-gateway pinch an HTTP listener connected larboard 80.
• Sample exertion (demo-web and demo-api) moving successful nan demo namespace.
• HTTPRoute configured to way postulation to nan backend services.
• OpenSSL installed locally (for certificate generation).

Verify your existing setup:

Step 1: Generate TLS Certificates

For this tutorial, we’ll create a self-signed certificate. In production, you would usage cert-manager pinch Let’s Encrypt aliases certificates from your organization’s CA.`12

Create a directory and make nan certificate:

Important: Replace demo.example.com pinch your existent domain. The Subject Alternative Name (SAN) is required for modern browsers and clients to judge nan certificate.

Verify nan certificate:

Step 2: Create nan Kubernetes TLS Secret

Store nan certificate and cardinal successful a Kubernetes secret. The concealed must reside successful nan aforesaid namespace arsenic nan Gateway (nginx-gateway).

Verify nan secret:

You should spot tls.crt and tls.key listed successful nan Data section.

Step 3: Update nan Gateway for HTTPS

Modify nan Gateway to adhd an HTTPS listener alongside nan existing HTTP listener. Create a record named gateway-tls.yaml:

Key configuration elements: The tls.mode: Terminate mounting performs TLS termination astatine nan gateway, decrypting postulation earlier forwarding to backend services complete plain HTTP. The certificateRefs points to our TLS secret.

Apply nan updated Gateway:

Verify some listeners are configured:

Step 4: Create nan HTTPS Route

Create an HTTPRoute that binds to nan HTTPS listener utilizing nan sectionName field. Save arsenic route-https.yaml:

Apply nan HTTPS route:

Step 5: Configure HTTP to HTTPS Redirect

To guarantee each postulation uses HTTPS, create a redirect way that captures HTTP requests and returns a 301 redirect. Save arsenic http-redirect.yaml:

This way binds to nan HTTP listener (sectionName: http) and applies a RequestRedirect select that changes nan strategy to HTTPS and returns a 301 imperishable redirect.

Apply nan redirect route:

You tin now delete nan original HTTP way from Part 1 since each HTTP postulation will beryllium redirected:

Step 6: Test nan TLS Configuration

First, get nan NodePort assignments for HTTP and HTTPS:

Note nan ports mapped to 80 (HTTP) and 443 (HTTPS). For this example, we’ll presume HTTP is connected larboard 31080 and HTTPS is connected larboard 31443.

Test HTTPS Access

Use curl pinch --resolve to representation nan hostname to your node IP. The -k emblem skips certificate verification for self-signed certs:

Test HTTP Redirect

Verify that HTTP requests person a 301 redirect to HTTPS:

Expected response:

HTTP/1.1 301 Moved Permanently
Location: https://demo.example.com/

Verify Certificate Details

Inspect nan certificate being served by nan gateway:

Summary

You person successfully added TLS support to your Nginx Gateway Fabric deployment. The last configuration includes:

• A Gateway pinch some HTTP (port 80) and HTTPS (port 443) listeners.
• TLS termination astatine nan gateway utilizing a Kubernetes secret.
• An HTTPRoute for HTTPS postulation bound to nan https listener.
• Automatic HTTP to HTTPS redirect utilizing nan Gateway API’s autochthonal RequestRedirect filter.

Resources created successful this tutorial:

Production Recommendations

For accumulation deployments, switch self-signed certificates pinch automated certificate guidance utilizing cert-manager:

Create a ClusterIssuer for Let’s Encrypt and annotate your Gateway to automatically proviso certificates. Refer to nan cert-manager archiving for Gateway API integration details.

Additional information hardening:

• Monitor certificate expiration pinch Prometheus metrics.
• Implement HSTS headers utilizing Nginx Gateway Fabric’s argumentation resources.
• Use abstracted certificates for different domains aliases environments.
• Rotate certificates astatine slightest annually, preferably much often pinch automation.

Looking Ahead

This tutorial demonstrated really to unafraid your Gateway API implementation pinch TLS termination and automatic HTTP redirects. The Gateway API’s autochthonal support for these patterns — done tls.mode: Terminate and RequestRedirect filters — eliminates nan request for vendor-specific annotations that plagued Ingress configurations.

In consequent tutorials, we’ll research precocious postulation guidance patterns including canary deployments pinch postulation splitting, header-based routing for A/B testing, complaint limiting and petition throttling, and cross-namespace routing for multi-tenant clusters.

The unafraid instauration you’ve built present — pinch due TLS termination and redirect handling — is basal groundwork for these accumulation scenarios. Stay tuned!

Group Created pinch Sketch.