You can secure the ingress gateway with HTTPS by using simple TLS, and enable HTTPS connections to specific webpages. In addition, you can redirect HTTP connections to HTTPS.
HTTPS creates a secure channel over an insecure network, protecting against man-in-the-middle attacks and encrypting traffic between the client and server. To prepare a web server to accept HTTPS connections, an administrator must create a public key certificate for the server. This certificate must be signed by a trusted certificate authority for a web browser to accept it without warning.
Edit the gateway named external-gateway in the kf
namespace using the built-in Kubernetes editor:
kubectl edit gateway -n kf external-gateway
- Assuming you have a certificate and key for your service, create a Kubernetes secret for the ingress gateway. Make sure the secret name does not begin with
istio
orprometheus
. For this example, the secret is namedmyapp-https-credential
. - Under
servers:
- Add a section for port 443.
- Under
tls:
, set thecredentialName
to the name of the secret you just created. - Under
hosts:
, add the host name of the service you want to secure with HTTPS. This can be set to an entire domain using a wildcard (e.g.*.example.com
) or scoped to just one hostname (e.g.myapp.example.com
).
- There should already be a section under
servers:
for port 80 HTTP. Keep this section in the Gateway definition if you would like all traffic to come in as HTTP. - To redirect HTTP to HTTPS, add the value
httpsRedirect: true
undertls
in the HTTP server section. See the Istio Gateway documentation for reference. Note that adding this in the section wherehosts
is set to*
means that all traffic is redirected to HTTPS. If you only want to redirect HTTP to HTTPS for a single app/domain, add a separate HTTP section specifying the redirect.
Shown below is an example of a Gateway spec
that sets up HTTPS for myapp.example.com
and redirects HTTP to HTTPS for that host:
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- myapp.example.com
port:
name: https
number: 443
protocol: HTTPS
tls:
credentialName: myapp-https-credential
mode: SIMPLE
- hosts:
- myapp.example.com
port:
name: http-my-app
number: 80
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- '*'
port:
name: http
number: 80
protocol: HTTP