-
Notifications
You must be signed in to change notification settings - Fork 669
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ingress + TLS using ContourGatewayProvisioner #5384
Comments
@davinkevin to use existing Ingresses with TLS, you'll want to define your Gateway like the following: kind: Gateway
apiVersion: gateway.networking.k8s.io/v1beta1
metadata:
name: legacy
namespace: projectcontour
spec:
gatewayClassName: legacy
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
- name: https
protocol: HTTP
port: 443
allowedRoutes:
namespaces:
from: All Note that, even though the Gateway defines port 443 as protocol=HTTP, ultimately Envoy will still have TLS configured because you have those TLS details defined on the Ingress. It's not the most intuitive (and I don't think we have this currently documented), but it should work and not require you to copy all of your TLS config into Gateway Listeners for now. This is definitely an area of ongoing development for us, so any additional details, thoughts etc. that you could provide would be valuable for the project! |
👏 Fantastic! I didn't try that because it was realy counter-intuitive, but really good to know! From my point of view, if this is documented somewhere, I think it's a beginning. I'll try that this week end 👍 and let you know. |
Actually, what I said above is not quite right; Contour 1.25 won't let you create HTTP listeners on two different ports. What you can use is the following: kind: Gateway
apiVersion: gateway.networking.k8s.io/v1beta1
metadata:
name: legacy
namespace: projectcontour
spec:
gatewayClassName: legacy
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
- name: https
protocol: TLS
port: 443
tls:
mode: Passthrough
allowedRoutes:
namespaces:
from: All You can think of the second listener as "passing through" TLS configuration to the HTTPProxy or Ingress (I know, still kind of hacky). For 1.26 we're likely going to add support for a custom protocol for this case, e.g. |
Tested successfully in my sandbox env. The big step is now to migrate my main cluster to it 🤞. The main point for me is to have access to documentation, with or without the custom protocol you've described. Any way, thank you for your help and for this project |
@davinkevin I completely agree, we need more docs here, particularly around anything unique to Contour's implementation of Gateway API. We have #4786 in the backlog for this and it's on my mind as we continue to do work here. Thanks for the feedback! |
Context:
After I found solution for 5382, I face another challenge, to make migration from
Ingress
toGatewayAPI
with ContourGatewayProvisioner straightforward, and this is related tohttps
.My current configuration looks like this:
With this, the following
Ingress
works well:Because I have multiple Ingress setup with TLS at
ingress
level, using.spec.tls
parameters, I would like to use them with ContourGatewayProvisioner.And because I have dozen(s) of
ingress
to manage, I would like to have the simplest solution, to prevent downtime or "big bang changes" in the cluster.NOTE I've found this solution in
Gateway
:This solutions in
legacy
Gateway works, but it means:Ingress
.spec.tls.*
into onelistener
in thelegacy
gatewayWhat question do you have?:
ingress
with TLS using Contour Gateway Provisioner?Ingress
full support planned for the ContourGatewayProvisioner, to avoid this kind of hacky solutions?Anything else you would like to add:
Nothing, but please ask question if some part of this issue is not clear enough.
Environment:
kubectl version
): 1.26/etc/os-release
): DebianThe text was updated successfully, but these errors were encountered: