1. Answers
  2. Configuring TLS termination with EnvoyFilter for service mesh

How do I configure TLS termination with EnvoyFilter for service mesh?

In this guide, we will configure TLS termination using an EnvoyFilter in a Kubernetes service mesh. TLS termination means that the Envoy proxy will handle the decryption of incoming encrypted traffic, ensuring secure communication within the service mesh.

We will create a Kubernetes namespace, a service, and an EnvoyFilter to handle the TLS termination.

Below is the Pulumi program written in TypeScript:

import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";

// Create a Kubernetes namespace
const namespace = new k8s.core.v1.Namespace("tls-namespace", {
    metadata: {
        name: "tls-namespace",
    },
});

// Create a Kubernetes service
const service = new k8s.core.v1.Service("tls-service", {
    metadata: {
        name: "tls-service",
        namespace: namespace.metadata.name,
    },
    spec: {
        ports: [{
            port: 443,
            targetPort: 80,
            protocol: "TCP",
        }],
        selector: {
            app: "my-app",
        },
    },
});

// Create an EnvoyFilter for TLS termination
const envoyFilter = new k8s.apiextensions.CustomResource("tls-envoyfilter", {
    apiVersion: "networking.istio.io/v1alpha3",
    kind: "EnvoyFilter",
    metadata: {
        name: "tls-envoyfilter",
        namespace: namespace.metadata.name,
    },
    spec: {
        workloadSelector: {
            labels: {
                app: "my-app",
            },
        },
        configPatches: [{
            applyTo: "LISTENER",
            match: {
                context: "GATEWAY",
                listener: {
                    portNumber: 443,
                    filterChain: {
                        filter: {
                            name: "envoy.filters.network.http_connection_manager",
                        },
                    },
                },
            },
            patch: {
                operation: "MERGE",
                value: {
                    filterChains: [{
                        filters: [{
                            name: "envoy.filters.network.http_connection_manager",
                            typedConfig: {
                                "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
                                codecType: "AUTO",
                                statPrefix: "ingress_http",
                                routeConfig: {
                                    name: "local_route",
                                    virtualHosts: [{
                                        name: "local_service",
                                        domains: ["*"],
                                        routes: [{
                                            match: {
                                                prefix: "/",
                                            },
                                            route: {
                                                cluster: "local_service",
                                            },
                                        }],
                                    }],
                                },
                                httpFilters: [{
                                    name: "envoy.filters.http.router",
                                }],
                                useRemoteAddress: true,
                                streamIdleTimeout: "0s",
                                commonHttpProtocolOptions: {
                                    idleTimeout: "0s",
                                },
                                upgradeConfigs: [{
                                    upgradeType: "websocket",
                                }],
                                normalizePath: true,
                            },
                        }],
                    }],
                },
            },
        }],
    },
});

Key Points

  • Created a Kubernetes namespace for isolating resources.
  • Defined a Kubernetes service to handle traffic on port 443.
  • Configured an EnvoyFilter to terminate TLS traffic at the gateway.

Summary

We have successfully configured TLS termination for a Kubernetes service using an EnvoyFilter. This setup ensures that incoming encrypted traffic is decrypted by the Envoy proxy, enhancing security within the service mesh.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up