How do I configure TLS termination with EnvoyFilter for service mesh?
In this guide, we will configure TLS termination using an EnvoyFilter in a Kubernetes service mesh. TLS termination means that the Envoy proxy will handle the decryption of incoming encrypted traffic, ensuring secure communication within the service mesh.
We will create a Kubernetes namespace, a service, and an EnvoyFilter to handle the TLS termination.
Below is the Pulumi program written in TypeScript:
import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";
// Create a Kubernetes namespace
const namespace = new k8s.core.v1.Namespace("tls-namespace", {
metadata: {
name: "tls-namespace",
},
});
// Create a Kubernetes service
const service = new k8s.core.v1.Service("tls-service", {
metadata: {
name: "tls-service",
namespace: namespace.metadata.name,
},
spec: {
ports: [{
port: 443,
targetPort: 80,
protocol: "TCP",
}],
selector: {
app: "my-app",
},
},
});
// Create an EnvoyFilter for TLS termination
const envoyFilter = new k8s.apiextensions.CustomResource("tls-envoyfilter", {
apiVersion: "networking.istio.io/v1alpha3",
kind: "EnvoyFilter",
metadata: {
name: "tls-envoyfilter",
namespace: namespace.metadata.name,
},
spec: {
workloadSelector: {
labels: {
app: "my-app",
},
},
configPatches: [{
applyTo: "LISTENER",
match: {
context: "GATEWAY",
listener: {
portNumber: 443,
filterChain: {
filter: {
name: "envoy.filters.network.http_connection_manager",
},
},
},
},
patch: {
operation: "MERGE",
value: {
filterChains: [{
filters: [{
name: "envoy.filters.network.http_connection_manager",
typedConfig: {
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
codecType: "AUTO",
statPrefix: "ingress_http",
routeConfig: {
name: "local_route",
virtualHosts: [{
name: "local_service",
domains: ["*"],
routes: [{
match: {
prefix: "/",
},
route: {
cluster: "local_service",
},
}],
}],
},
httpFilters: [{
name: "envoy.filters.http.router",
}],
useRemoteAddress: true,
streamIdleTimeout: "0s",
commonHttpProtocolOptions: {
idleTimeout: "0s",
},
upgradeConfigs: [{
upgradeType: "websocket",
}],
normalizePath: true,
},
}],
}],
},
},
}],
},
});
Key Points
- Created a Kubernetes namespace for isolating resources.
- Defined a Kubernetes service to handle traffic on port 443.
- Configured an EnvoyFilter to terminate TLS traffic at the gateway.
Summary
We have successfully configured TLS termination for a Kubernetes service using an EnvoyFilter. This setup ensures that incoming encrypted traffic is decrypted by the Envoy proxy, enhancing security within the service mesh.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.