Securing Cilium Gateway API
This tutorial will specify how to automate ingress traffic encryption to your Kubernetes cluster with Kubernetes Gateway API, Cilium and cert-manager.
Steps
- Step 1 - Install Helm
- Step 2 - Deploy Kubernetes Gateway API
- Step 3 - Deploy Cilium
- Step 4 - Deploy cert-manager and Configure an Issuer
- Step 5 - Configure a Gateway and HTTPRoute
Step 1 - Install Helm
Skip this step if you have helm already installed on your client.
The easiest way to install and manage cert-manager and Cilium is to use Helm, a templating and deployment tool for Kubernetes resources.
First, ensure the Helm client is installed on your client by following the Helm installation instructions.
For example, on MacOS:
$ brew install helm
For a detailed description read the documentation provided at: https://helm.sh/docs/intro/install/
Step 2 - Deploy Kubernetes Gateway API
In this tutorial we are focusing on Cilium version
1.17.5, which supports Gateway API version1.2.0.
Install the Gateway API Custom Resource Definitions (CRDs):
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_gateways.yaml$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml
Optionally the experimental TLSRoute CRD:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml
This is also described in the cilium docs.
Step 3 - Deploy Cilium
Install the cilium cli either via your package manager or GitHub releases. For example:
$ brew install cilium-cli
Install cilium on a newly deployed Kubernetes cluster with the Gateway API integration enabled:
$ cilium install \--set kubeProxyReplacement=true \--set gatewayAPI.enabled=true$ cilium status --wait
There is a detailed description in the cilium docs.
Step 4 - Deploy cert-manager and Configure an Issuer
Install the Helm repository:
$ helm repo add jetstack https://charts.jetstack.io --force-update
Install cert-manager:
$ helm install \cert-manager jetstack/cert-manager \--namespace cert-manager \--create-namespace \--set crds.enabled=true
There is also a detailed installation documentation with Helm.
Defining a letsencrypt ACME HTTP01 cluster issuer:
custerissuer-letsencrypt.yaml
apiVersion: cert-manager.io/v1kind: ClusterIssuermetadata:name: letsencryptspec:acme:email: noreply@example.comprivateKeySecretRef:name: letsencrypt-clusterissuerserver: https://acme-v02.api.letsencrypt.org/directorysolvers:- http01:ingress: {}
Apply it to the cluster:
$ kubectl apply -f clusterissuer-letsencrypt.yaml
