Setting up Upstream TLS with Service Annotations

Motivation

Gloo Gateway can auto-discover SSL configuration for upstream TLS connections using annotations on the Kubernetes Service.

This can be used as a convenient alternative to the Upstream to configure Upstream or Client SSL.

This document explains the options for configuring SSL using service annotations. For a step-by-step guide illustrating Upstream SSL in Gloo Gateway, see the Upstream SSL Guide

Configuring Upstream SSL Using Kubernetes Secrets

To use a Kubernetes TLS secret for Upstream TLS, set the annotations of your service like so:

apiVersion: v1
kind: Service
metadata:
  annotations:
    gloo.solo.io/sslService.secret: upstream-tls
  name: example-tls-server
  namespace: default
spec:
  clusterIP: 10.7.244.103
  ports:
  - port: 8080
    protocol: TCP
    targetPort: 8080
  selector:
    app: example-tls-server
  type: ClusterIP

Note: The secret must live in the same namespace as the service.

Configuring Upstream SSL Using Files Mounted to the Proxy

To certs mounted to the proxy pod (named gateway-proxy by default) for Upstream TLS, set the annotations of your service like so:

apiVersion: v1
kind: Service
metadata:
  annotations:
    gloo.solo.io/sslService.tlsCert: /tls.crt
    gloo.solo.io/sslService.tlsKey: /tls.key
    gloo.solo.io/sslService.rootCa: /ca.crt
  name: example-tls-server
  namespace: default
spec:
  clusterIP: 10.7.244.103
  ports:
  - port: 8080
    protocol: TCP
    targetPort: 8080
  selector:
    app: example-tls-server
  type: ClusterIP

Note: The certificates must be mounted to the proxy pod (named gateway-proxy by default) with the paths specified in the annotations.

Configuring Upstream SSL for a Specific Port on a Service

A service may have more than one port, where only a specific port is serving SSL.

In this case, it’s necessary to include the SSL port in the annotation value, like so:

apiVersion: v1
kind: Service
metadata:
  annotations:
    # configure Upstream SSL for routes to port 443 of our service
    gloo.solo.io/sslService.tlsCert: /443:tls.crt
    gloo.solo.io/sslService.tlsKey: /443:tls.key
    gloo.solo.io/sslService.rootCa: /443:ca.crt
  name: web
  namespace: default
spec:
  clusterIP: 10.7.244.103
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  - port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: web
  type: ClusterIP

Note: You can also specify <port>:<secret> for the gloo.solo.io/sslService.secret annotation.