Restez organisé à l'aide des collections
Enregistrez et classez les contenus selon vos préférences.
Configurer la terminaison TLS dans la passerelle d'entrée
Présentation
Cette page explique comment configurer une terminaison TLS dans la passerelle d'entrée dans Cloud Service Mesh pour gérer le trafic HTTPS externe vers vos services.
Vous allez apprendre à configurer la passerelle pour la communication sécurisée à l'aide de TLS, ce qui permet d'accéder de manière chiffrée à vos applications. Ce processus exploite les fonctionnalités de Cloud Service Mesh pour exposer des services, par exemple de manière sécurisée.
Avant de commencer
Pour suivre la procédure décrite dans ce document, vous avez besoin des ressources suivantes :
Un cluster Kubernetes sur lequel Cloud Service Mesh est installé.
Configurer votre environnement
Exécutez les commandes suivantes à partir d'un poste de travail pouvant accéder au cluster que vous souhaitez utiliser. Assurez-vous que l'outil kubectl est configuré pour utiliser le contexte spécifique au cluster.
Pour sécuriser votre passerelle d'entrée, vous aurez besoin de certificats et de clés TLS. Vous pouvez utiliser n'importe quel outil de génération de certificats ou suivre ces étapes à l'aide d'openssl pour créer les identifiants nécessaires.
Créer un certificat et une clé d'autorité de certification racine
Avant de suivre les instructions de cette section, vous devez déterminer l'implémentation de votre plan de contrôle. Pour ce faire, suivez les instructions de la section Identifier l'implémentation du plan de contrôle.
Créez l'espace de noms Cet espace de noms est utilisé pour déployer la passerelle d'entrée.
serviceaccount/asm-ingressgateway created
role.rbac.authorization.k8s.io/asm-ingressgateway created
rolebinding.rbac.authorization.k8s.io/asm-ingressgateway created
deployment.apps/asm-ingressgateway created
service/asm-ingressgateway created
poddisruptionbudget.policy/asm-ingressgateway created
horizontalpodautoscaler.autoscaling/asm-ingressgateway created
Stockez les identifiants TLS dans un secret Kubernetes:
Sauf indication contraire, le contenu de cette page est régi par une licence Creative Commons Attribution 4.0, et les échantillons de code sont régis par une licence Apache 2.0. Pour en savoir plus, consultez les Règles du site Google Developers. Java est une marque déposée d'Oracle et/ou de ses sociétés affiliées.
Dernière mise à jour le 2025/09/04 (UTC).
[[["Facile à comprendre","easyToUnderstand","thumb-up"],["J'ai pu résoudre mon problème","solvedMyProblem","thumb-up"],["Autre","otherUp","thumb-up"]],[["Difficile à comprendre","hardToUnderstand","thumb-down"],["Informations ou exemple de code incorrects","incorrectInformationOrSampleCode","thumb-down"],["Il n'y a pas l'information/les exemples dont j'ai besoin","missingTheInformationSamplesINeed","thumb-down"],["Problème de traduction","translationIssue","thumb-down"],["Autre","otherDown","thumb-down"]],["Dernière mise à jour le 2025/09/04 (UTC)."],[],[],null,["# Set up TLS termination in ingress gateway\n=========================================\n\n| **Note:** This guide only supports Cloud Service Mesh with Istio APIs and does not support Google Cloud APIs. For more information see, [Cloud Service Mesh overview](/service-mesh/v1.24/docs/overview).\n\nOverview\n--------\n\nThis page demonstrates how to set up a TLS termination in ingress gateway in\nCloud Service Mesh to manage external HTTPS traffic to your services.\nYou will learn how to configure the gateway for secure communication using TLS,\nenabling encrypted access to your applications. This process leverages Cloud Service Mesh capabilities to expose services like securely.\n\nBefore you begin\n----------------\n\nTo complete the steps in this document you need the following resources:\n\n- A Kubernetes cluster with Cloud Service Mesh installed.\n\nSet up your environment\n-----------------------\n\nRun the following commands from a workstation that can access the cluster you\nintend to use. Make sure that the `kubectl` tool is configured to use the\ncluster context specific to your cluster.\n\n1. Set the environment variables.\n\n export ASM_INGRESSGATEWAY_NAMESPACE=asm-ingressgateway\n export ASM_INGRESSGATEWAY_DEPLOYMENT_NAME=asm-ingressgateway\n export ASM_INGRESSGATEWAY_SERVICE_NAME=asm-ingressgateway\n\n2. The foo application deployed in your cluster. Install it with:\n\n apiVersion: v1\n kind: Service\n metadata:\n name: foo\n namespace: foo\n spec:\n selector:\n app: test-backend\n ports:\n - port: 8080\n targetPort: 8080\n ---\n apiVersion: apps/v1\n kind: Deployment\n metadata:\n name: foo\n namespace: foo\n spec:\n replicas: 2\n selector:\n matchLabels:\n app: test-backend\n template:\n metadata:\n labels:\n app: test-backend\n spec:\n containers:\n - name: whereami\n image: gcr.io/google-samples/whereami:v1.2.23\n ports:\n - containerPort: 8080\n EOF\n\n3. Generate certificates and keys\n\nTo secure your ingress gateway, you will need TLS certificates and keys. You can\nuse any certificate generation tool or follow these steps using openssl to\ncreate the necessary credentials.\n\n- Create a root CA certificate and key\n\n mkdir example_certs\n openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=Example Corp/CN=example.com' \\\n -keyout example.com.key -out example.com.crt\n\n- Generate a certificate and key for ingress\n\n openssl req -out foo.example.com.csr -newkey rsa:2048 -nodes \\\n -keyout foo.example.com.key -subj \"/CN=foo.example.com/O=Foo Org\"\n\n openssl x509 -req -sha256 -days 365 -CA example.com.crt \\\n -CAkey example.com.key -set_serial 0 \\\n -in foo.example.com.csr -out foo.example.com.crt\n\nSet up a TLS ingress gateway\n----------------------------\n\nBefore you complete the instructions in this section, you'll need to determine your control plane implementation. Use the instructions in\n[Identify control plane implementation](/service-mesh/v1.24/docs/supported-features-managed#identify_control_plane_implementation) to do this.\n\n1. Create the namespace. This namespace is used to deploy the ingress\n gateway.\n\n kubectl create namespace ${ASM_INGRESSGATEWAY_NAMESPACE}\n\n2. Apply the default injection label to the namespace:\n\n kubectl label namespace ${ASM_INGRESSGATEWAY_NAMESPACE} \\\n istio.io/rev- istio-injection=enabled --overwrite\n\n3. Apply the [ingress gateway manifest file](https://github.com/GoogleCloudPlatform/anthos-service-mesh-samples/blob/main/docs/ingress-gateway-external-lb/ingress-gateway.yaml).\n\n kubectl --namespace ${ASM_INGRESSGATEWAY_NAMESPACE} apply --filename https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/main/docs/ingress-gateway-external-lb/ingress-gateway.yaml\n\n Expected output: \n\n serviceaccount/asm-ingressgateway created\n role.rbac.authorization.k8s.io/asm-ingressgateway created\n rolebinding.rbac.authorization.k8s.io/asm-ingressgateway created\n deployment.apps/asm-ingressgateway created\n service/asm-ingressgateway created\n poddisruptionbudget.policy/asm-ingressgateway created\n horizontalpodautoscaler.autoscaling/asm-ingressgateway created\n\n4. Store the TLS credentials in a Kubernetes secret:\n\n kubectl create -n ${ASM_INGRESSGATEWAY_NAMESPACE} secret tls foo-credential \\\n --key=example_certs/foo.example.com.key \\\n --cert=example_certs/foo.example.com.crt\n\n5. Define the ingress gateway: Create a Gateway resource to handle HTTPS traffic\n on port 443:\n\n cat \u003c\u003cEOF | kubectl apply -f -\n apiVersion: networking.istio.io/v1\n kind: Gateway\n metadata:\n name: secure-gateway\n namespace: ${ASM_INGRESSGATEWAY_NAMESPACE}\n spec:\n selector:\n app: asm-ingressgateway\n istio: ingressgateway\n servers:\n - port:\n number: 443\n name: https\n protocol: HTTPS\n tls:\n mode: SIMPLE\n credentialName: foo-credential\n hosts:\n - \"foo.example.com\"\n EOF\n\n6. Route traffic to the foo service: Define a VirtualService to direct\n traffic to the foo deployment:\n\n cat \u003c\u003cEOF | kubectl apply -f -\n apiVersion: networking.istio.io/v1\n kind: VirtualService\n metadata:\n name: foo-routing\n namespace: ${ASM_INGRESSGATEWAY_NAMESPACE}\n spec:\n hosts:\n - \"foo.example.com\"\n gateways:\n - secure-gateway\n http:\n - match:\n - uri:\n prefix: /status\n - uri:\n prefix: /delay\n route:\n - destination:\n host: foo\n port:\n number: 8080\n EOF\n\n7. [Set up the external load balancer](/service-mesh/v1.24/docs/operate-and-maintain/external-lb-gateway#in-cluster) to connect with the ingress gateway from\n the cluster\n\n8. Test the secure connection: Use curl to verify the setup:\n\n export EXTERNAL_LB_IP_ADDRESS=\u003cvar translate=\"no\"\u003eEXTERNAL_LB_IP_ADDRESS\u003c/var\u003e\n curl -v -H \"Host: foo.example.com\" --resolve \"foo.example.com:443:$EXTERNAL_LB_IP_ADDRESS\" \\\n --cacert example_certs/example.com.crt \"https://foo.example.com:443/ping\"\n\nReplace `EXTERNAL_LB_IP_ADDRESS` with ip of external load balancer.\n\nThe output is similar to the following: \n\n {\n \"cluster_name\": \"gke-us\",\n \"host_header\": \"34.120.175.141\",\n \"pod_name\": \"whereami-deployment-954cbf78-mtlpf\",\n \"pod_name_emoji\": \"😎\",\n \"project_id\": \"my-project\",\n \"timestamp\": \"2021-11-29T17:01:59\",\n \"zone\": \"us-central1-b\"\n }\n\nWhat's next\n-----------\n\n- Read more about [Installing and upgrading gateways](/service-mesh/v1.24/docs/operate-and-maintain/gateways)"]]