You can secure the ingress gateway with HTTPS by using simple TLS, and enable HTTPS connections to specific webpages. In addition, you can redirect HTTP connections to HTTPS.
HTTPS creates a secure channel over an insecure network, protecting against man-in-the-middle attacks and encrypting traffic between the client and server. To prepare a web server to accept HTTPS connections, an administrator must create a public key certificate for the server. This certificate must be signed by a trusted certificate authority for a web browser to accept it without warning.
Edit the gateway named external-gateway in the
kf namespace using the built-in Kubernetes editor:
kubectl edit gateway -n kf external-gateway
- Assuming you have a certificate and key for your service, create a Kubernetes secret for the ingress gateway. Make sure the secret name does not begin with
prometheus. For this example, the secret is named
- Add a section for port 443.
tls:, set the
credentialNameto the name of the secret you just created.
hosts:, add the host name of the service you want to secure with HTTPS. This can be set to an entire domain using a wildcard (e.g.
*.example.com) or scoped to just one hostname (e.g.
- There should already be a section under
servers:for port 80 HTTP. Keep this section in the Gateway definition if you would like all traffic to come in as HTTP.
- To redirect HTTP to HTTPS, add the value
tlsin the HTTP server section. See the Istio Gateway documentation for reference. Note that adding this in the section where
hostsis set to
*means that all traffic is redirected to HTTPS. If you only want to redirect HTTP to HTTPS for a single app/domain, add a separate HTTP section specifying the redirect.
Shown below is an example of a Gateway
spec that sets up HTTPS for
myapp.example.com and redirects HTTP to HTTPS for that host:
spec: selector: istio: ingressgateway servers: - hosts: - myapp.example.com port: name: https number: 443 protocol: HTTPS tls: credentialName: myapp-https-credential mode: SIMPLE - hosts: - myapp.example.com port: name: http-my-app number: 80 protocol: HTTP tls: httpsRedirect: true - hosts: - '*' port: name: http number: 80 protocol: HTTP