Issuing wildcard certificates on Kubernetes Gateway API (Part 2/2)

If you have followed part1 you should should have cert-manager already running.

All the files are available on github: https://github.com/angjelo/cloud-infra

Let's see how we can build the following infrustrcture by using cilium and the gateway api.

Initially we need to create a gateway class and specify the controller that our gateway will be using, I am using cilium on my cluster that's why I have set controllerName: io.cilium/gateway-controller

apiVersion: gateway.networking.k8s.io/v1beta1
kind: GatewayClass
metadata:
  name: cillium-gateway-class
spec:
  controllerName: io.cilium/gateway-controller

After you have successfully created the gateway controller lets define the gateway which will be our entrypoint.
Few things:

• The annotations field allows you to attach additional metadata to the resource. In this case, an annotation is used to specify the cluster issuer for certificates issued by Cert-Manager (a Kubernetes add-on for certificate management)
• cert-manager.io/cluster-issuer:cloudflare-domain-issuer refers to the cluster-issuer that we created in part1
• The secret used in the field certificateRefs is defined in the certificate.yml

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: fine-ops-gateway
  annotations:
    cert-manager.io/cluster-issuer: cloudflare-domain-issuer
spec:
  gatewayClassName: cillium-gateway-class
  listeners:
    - name: https
      hostname: "*.fine-ops.com"
      port: 443
      protocol: HTTPS
      tls:
        mode: Terminate
        certificateRefs:
        - kind: Secret
          name: fine-ops

if we execute kubectl get svc then we shoulld see a public IP assigned to our gateway, if you are on aws usually you will get an ELB address that you can use to point to point your CNAME cloudflare

Now that we have defined our main entry point lets create our

• tls-route
• service
• deployment for test-app1

This will be the nginx app deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-app1
  namespace: default
  labels:
    app: test-app1
spec:
  replicas: 3
  selector:
    matchLabels:
      app: test-app1
  template:
    metadata:
      labels:
        app: test-app1
    spec:
      containers:
      - name: nginx
        image: nginx
        ports:
        - containerPort: 80
        imagePullPolicy: Always

kubectl apply -f test-app1-deployment.yml

To view if the pods are deployed successfully kubectl get pods

Now is time to create a service to expose the port internally in kubernetes:

apiVersion: v1
kind: Service
metadata:
  name: test-app1
  namespace: default
  labels:
    app: test-app1
spec:
  ports:
  - port: 80
    name: http
  selector:
    app: test-app1

kubectl get svc to see if the service was created

Se we can see that test-app1 has been exposed to an internal IP. Now it's time create the tls-route and attach it to the service that we exposed earlier

apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: test-app-1
spec:
  parentRefs:
  - name: fine-ops-gateway
    sectionName: https
  hostnames:
    - "fe-1.fine-ops.com"
  rules:
    - matches:
      - path:
          type: PathPrefix
          value: /
        method: GET
      backendRefs:
      - name: test-app1
        port: 80

Lets break down some keypoints in the yaml:

• parentRefs refers to the gateway name that we created earlier (fine-ops-gateway)
• We are referencing the service created earlier for test-app1 validate that the route was created: kubectl get httproutes

Now that we have have created our http route, we can try to access the service on https://fe-1.fine-ops.com (make sure you have created an A record that points the Loadbalancer IP of the cilium gateway)

Now that we have deployed fe-1.fine-ops.com it time to deploy fe-2.fine-ops.com

Let's start again by creating the second deployment, similar to the previous nginx deployment but the app name is different this time

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-app2
  namespace: default
  labels:
    app: test-app2
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test-app2
  template:
    metadata:
      labels:
        app: test-app2
    spec:
      containers:
      - name: nginx
        image: nginx
        ports:
        - containerPort: 80
        imagePullPolicy: Always

After verifying that the pods are running it is time to create the service to internally expose the port to kubernetes

apiVersion: v1
kind: Service
metadata:
  name: test-app2
  namespace: default
  labels:
    app: test-app2
spec:
  ports:
  - port: 90
    name: http
    targetPort: 80
  selector:
    app: test-app2

Not it is time to create the TLS route for fe-2.fine-ops.com

apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: http-app-2
spec:
  parentRefs:
  - name: fine-ops-gateway
    namespace: default
  hostnames:
    - "fe-2.fine-ops.com"
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /
      method: GET
    backendRefs:
    - name: test-app2
      port: 90

kubectl get httproutes should display these routes

Lastly we need to add a new A for fe-2.fine-ops.com record to point to the load balancer IP,this is how the records should look like in cloudflare

Now you can visit fe-2.yourdomain.com