Deploys a functional prototype using Kubernetes Gateway API supporting TLS Termination and Passthru ingress functionality. Built using Istio (Ambient Mode), Cert-Manager and Hashicorp Vault for certificate lifecycle management and signing TLS certificates within a Minikube environment.
| Core Infrastructure | Version |
|---|---|
| Minikube | 1.34.0 |
| Kubernetes | 1.31.0 |
| Docker | 27.2.0 |
| OpenSSL | 3.4.0 |
| Name | Description |
|---|---|
| Ubuntu | 20.04.6 LTS |
| Processor | Intel® Core™ i7-7700K CPU @ 4.20GHz × 8 |
| Memory | 64 GB |
Instructions for deploying the Core Infrastructure Dependencies listed above are NOT included within this set of Prototypes as there are numerous targeted deployment instructions for each better suited for your particular OS.
| Deployed Name | Version |
|---|---|
| Cert-manager | 1.15.3 |
| Ingress-nginx | 1.11.2 |
| Istio | 1.23.2 |
| Kubernetes Gateway API | 1.1.0 |
| Hashicorp Vault | 1.17.3 |
| Metallb | 0.9.6 |
- Cert-Manager / Vault Issuer - https://cert-manager.io/docs/configuration/vault/
- Cert-Manager / Vault - https://developer.hashicorp.com/vault/tutorials/archive/kubernetes-cert-manager
- Cert-Manager Kubenetes Service Account - cert-manager/cert-manager#5502 - new serviceaccountref
- Vault Minikube TLS - https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-minikube-tls
- Configure Vault as a CA - https://developer.hashicorp.com/vault/tutorials/pki/pki-engine
Note :
The commands within the shell files below are meant to be copy pasted (one or a few lines at a time) into a terminal, and not run as an automated bash script.
This script deploys the following:
- Deletes and Installs Fresh Minikube install.
- Installs and configures Metallb load balancer.
- Installs Kubernetes Gateway API CRDs, both standard and experimental
- Installs Istio in Ambient Mode with Experimental Gateway CRDs turned on.
- Creates cert-manager namespace
- Intalls Cert-Manager CRDs
- Installs Cert-Manager with Experimental Gateway CRD support.
In order to deploy Hashicorp Vault to kubernetes (minikube) for use with TLS transport there are prerequisite keys, certificates and secrets which must be created and deployed. For a better understanding of this process please read the Hashicorp Vault documentation (above) for installing Vault to minikube with TLS enabled. The steps detailed within this script follow this documentation. The final step of this script is to install Vault via the official helm chart.
The steps performed within the script to accomplish this are:
- Generate OpenSSL keys and certificates for vault.
- Create a CSR (certificate signing request)
- Have Kubernetes CA sign the CSR and approve the certificate
- Create the vault namespace
- Use the keys and certificates to create a kubernetes secret for Vault.
- Install Hashicorp Vault
Now that Vault has been deployed to Kubernetes (Minikube), we need to perform basic configuration. Vault has been deployed to 3 pods. These pods need to be initialized with the appropriate Shamir key shares and thresholds, and then joined together via raft, and finally unsealed with the shamir keys generated at the start of this script.
After performing these configuration steps we generate at vault login token for the cluster and login to the running vault system. Next the scripts perform several test functions to ensure that the Vault deployment has been successful.
The steps within the script are as follows:
- Generate the shamir key with the appropriate keyshare and key threshhold - (1 and 1)
- Obtain the resulting unseal key
- Unseal Vault-0 pod
- Join Vaults pods 1 and 2 to Vault-0 pod
- Unseal Vault pods 1 and 2
- Obtain the Vault root cluster token
- Login to the Vault pod 0
- Validate and Test the Vault setup
Hashicorp Vault has now been setup and configured with TLS transport. The next step is to setup Vault as a Certificate Authority (CA) providing both a Root Certificate as well as an Intermediate Certificate for signing. This will allow Cert-Manager to send Vault Certificate Signing Requests (CSR) and receive back the approved signed certificate. Please note that these certificates will still be self signed Certificates for this prototype.
Hashicorp Vault documentation provides multiple methods for configuring and enabling the Vault CA. Within this prototype I have used the Vault UI to generate the Root and Intermediate Certificates and associated Policies, Roles and Issuers. The main reason is that I got it to work using the UI, and while trying to configure the CA using the Vault CLI, I ended up with errors generating the final certificates. As I had a working solution I moved on. See setting up Vault as a CA in the documentation section above.
The steps within the script are as follows:
- Create a Vault Admin policy for access rights.
- Generate an Admin Token to be used for UI login
- Login to the Vault UI
- Create and configure a PKI engine for the root CA.
- Create a role for the root CA.
- Create a new PKI engine for the Intermediate CA.
- Generate and intermediate CSR for the Intermediate CA.
- Have the Root CA sign the Intermediate CSR
- Import the signed Certificate to the Intermediate CA
- Create an Intermediate CA Role
- Test by generating a new certificate from the Intermediate CA
Now that the Vault Root and Intermediate PKI engines have been setup to allow the the intermediate CA to sign certificates we need to configure Vault Kubernetes auth so that Cert-Manager can automatically access Vault Issuers for CSR requests. What this means in scripting terms is we need to:
- Enable Kubernetes Authentication within Vault.
- Create a Kubernetes Authentication Role and bind it to a service account.
Now we need to configure Vault Issuers so that Cert-Manager can automatically access Vault for CSR requests. What this means in scripting terms is we need to:
- Create a Vault Issuer Role.
- Create a Vault Policy to allow signing for CSRs.
- Configure the Vault Issuer Role.
- Create the Service Account, Role, Role binding Vault-Issuer cert-manager component.
- Create and apply the Cert-Manager Issuer which points to the Vault Issuer with appropriate Authentication.
- Define a test certificate.
- Create and review the signed test certificate.
The Mango App is an Http Echo Server which upon a successful request returns "Juicy Mango". The purpose of including this within this prototype is to show support for multiple Gateways each within a separate namespace using differing Route configurations. As this configuration supports TLS termination at the Gateway with mutual TLS from the Gateway to the service endpoint the configuration uses an HTTPRoute.
The steps performed within this script are as follows:
- Create a namespace for the mango deployment
- Create and configure a Vault Issuer and role for mango certificates
- Create a vault authorization policy and role for the mango issuer
- Deploy cert-manager Service Account, Role and Rolebindings for the issuer
- Deploy a cert-manager issuer configured to the vault mango-issuer
- Deploy a cert-manager certificate for mango tls using vault mango issuer
- Deploy mango gateway and app
- Obtain mango host, ports, and tls credentials
- Test access via curl with tls terminated at the gateway and mtls within cluster.
The Nginx Server deployments deploys a standard Nginx Web Server to an Nginx namespace. Within this namespace is also deployed a dedicated Gateway for the nginx deployment. The Gateway configuration for the service endpoints use a TLSRoute which supports TLS Passthrough. The successful setup and test verify that multiple Gateways in differing namespaces supporting differing Route types are supported within the Istio Gateway controller.
The steps performed within this script are as follows:
- Create a namespace for the nginx deployment
- Create and configure a Vault Issuer and role for nginx certificate signing
- Create a vault authorization policy and role for the nginx issuer
- Deploy cert-manager Service Account, Role and Rolebindings for the issuer
- Deploy a cert-manager issuer configured to the vault nginx-issuer
- Deploy a cert-manager certificate for nginx tls using vault nginx issuer
- Deploy nginx gateway and app
- Obtain nginx host, ports, and tls credentials
- Test access via curl with tls passthru via the gateway to the nginx app listener.