serviceaccount/asm-ingressgateway created
role.rbac.authorization.k8s.io/asm-ingressgateway created
rolebinding.rbac.authorization.k8s.io/asm-ingressgateway created
deployment.apps/asm-ingressgateway created
service/asm-ingressgateway created
poddisruptionbudget.policy/asm-ingressgateway created
horizontalpodautoscaler.autoscaling/asm-ingressgateway created
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[],[],null,["# Set up TLS termination in ingress gateway\n=========================================\n\n| **Note:** This guide only supports Cloud Service Mesh with Istio APIs and does not support Google Cloud APIs. For more information see, [Cloud Service Mesh overview](/service-mesh/v1.24/docs/overview).\n\nOverview\n--------\n\nThis page demonstrates how to set up a TLS termination in ingress gateway in\nCloud Service Mesh to manage external HTTPS traffic to your services.\nYou will learn how to configure the gateway for secure communication using TLS,\nenabling encrypted access to your applications. This process leverages Cloud Service Mesh capabilities to expose services like securely.\n\nBefore you begin\n----------------\n\nTo complete the steps in this document you need the following resources:\n\n- A Kubernetes cluster with Cloud Service Mesh installed.\n\nSet up your environment\n-----------------------\n\nRun the following commands from a workstation that can access the cluster you\nintend to use. Make sure that the `kubectl` tool is configured to use the\ncluster context specific to your cluster.\n\n1. Set the environment variables.\n\n export ASM_INGRESSGATEWAY_NAMESPACE=asm-ingressgateway\n export ASM_INGRESSGATEWAY_DEPLOYMENT_NAME=asm-ingressgateway\n export ASM_INGRESSGATEWAY_SERVICE_NAME=asm-ingressgateway\n\n2. The foo application deployed in your cluster. Install it with:\n\n apiVersion: v1\n kind: Service\n metadata:\n name: foo\n namespace: foo\n spec:\n selector:\n app: test-backend\n ports:\n - port: 8080\n targetPort: 8080\n ---\n apiVersion: apps/v1\n kind: Deployment\n metadata:\n name: foo\n namespace: foo\n spec:\n replicas: 2\n selector:\n matchLabels:\n app: test-backend\n template:\n metadata:\n labels:\n app: test-backend\n spec:\n containers:\n - name: whereami\n image: gcr.io/google-samples/whereami:v1.2.23\n ports:\n - containerPort: 8080\n EOF\n\n3. Generate certificates and keys\n\nTo secure your ingress gateway, you will need TLS certificates and keys. You can\nuse any certificate generation tool or follow these steps using openssl to\ncreate the necessary credentials.\n\n- Create a root CA certificate and key\n\n mkdir example_certs\n openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=Example Corp/CN=example.com' \\\n -keyout example.com.key -out example.com.crt\n\n- Generate a certificate and key for ingress\n\n openssl req -out foo.example.com.csr -newkey rsa:2048 -nodes \\\n -keyout foo.example.com.key -subj \"/CN=foo.example.com/O=Foo Org\"\n\n openssl x509 -req -sha256 -days 365 -CA example.com.crt \\\n -CAkey example.com.key -set_serial 0 \\\n -in foo.example.com.csr -out foo.example.com.crt\n\nSet up a TLS ingress gateway\n----------------------------\n\nBefore you complete the instructions in this section, you'll need to determine your control plane implementation. Use the instructions in\n[Identify control plane implementation](/service-mesh/v1.24/docs/supported-features-managed#identify_control_plane_implementation) to do this.\n\n1. Create the namespace. This namespace is used to deploy the ingress\n gateway.\n\n kubectl create namespace ${ASM_INGRESSGATEWAY_NAMESPACE}\n\n2. Apply the default injection label to the namespace:\n\n kubectl label namespace ${ASM_INGRESSGATEWAY_NAMESPACE} \\\n istio.io/rev- istio-injection=enabled --overwrite\n\n3. Apply the [ingress gateway manifest file](https://github.com/GoogleCloudPlatform/anthos-service-mesh-samples/blob/main/docs/ingress-gateway-external-lb/ingress-gateway.yaml).\n\n kubectl --namespace ${ASM_INGRESSGATEWAY_NAMESPACE} apply --filename https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/main/docs/ingress-gateway-external-lb/ingress-gateway.yaml\n\n Expected output: \n\n serviceaccount/asm-ingressgateway created\n role.rbac.authorization.k8s.io/asm-ingressgateway created\n rolebinding.rbac.authorization.k8s.io/asm-ingressgateway created\n deployment.apps/asm-ingressgateway created\n service/asm-ingressgateway created\n poddisruptionbudget.policy/asm-ingressgateway created\n horizontalpodautoscaler.autoscaling/asm-ingressgateway created\n\n4. Store the TLS credentials in a Kubernetes secret:\n\n kubectl create -n ${ASM_INGRESSGATEWAY_NAMESPACE} secret tls foo-credential \\\n --key=example_certs/foo.example.com.key \\\n --cert=example_certs/foo.example.com.crt\n\n5. Define the ingress gateway: Create a Gateway resource to handle HTTPS traffic\n on port 443:\n\n cat \u003c\u003cEOF | kubectl apply -f -\n apiVersion: networking.istio.io/v1\n kind: Gateway\n metadata:\n name: secure-gateway\n namespace: ${ASM_INGRESSGATEWAY_NAMESPACE}\n spec:\n selector:\n app: asm-ingressgateway\n istio: ingressgateway\n servers:\n - port:\n number: 443\n name: https\n protocol: HTTPS\n tls:\n mode: SIMPLE\n credentialName: foo-credential\n hosts:\n - \"foo.example.com\"\n EOF\n\n6. Route traffic to the foo service: Define a VirtualService to direct\n traffic to the foo deployment:\n\n cat \u003c\u003cEOF | kubectl apply -f -\n apiVersion: networking.istio.io/v1\n kind: VirtualService\n metadata:\n name: foo-routing\n namespace: ${ASM_INGRESSGATEWAY_NAMESPACE}\n spec:\n hosts:\n - \"foo.example.com\"\n gateways:\n - secure-gateway\n http:\n - match:\n - uri:\n prefix: /status\n - uri:\n prefix: /delay\n route:\n - destination:\n host: foo\n port:\n number: 8080\n EOF\n\n7. [Set up the external load balancer](/service-mesh/v1.24/docs/operate-and-maintain/external-lb-gateway#in-cluster) to connect with the ingress gateway from\n the cluster\n\n8. Test the secure connection: Use curl to verify the setup:\n\n export EXTERNAL_LB_IP_ADDRESS=\u003cvar translate=\"no\"\u003eEXTERNAL_LB_IP_ADDRESS\u003c/var\u003e\n curl -v -H \"Host: foo.example.com\" --resolve \"foo.example.com:443:$EXTERNAL_LB_IP_ADDRESS\" \\\n --cacert example_certs/example.com.crt \"https://foo.example.com:443/ping\"\n\nReplace `EXTERNAL_LB_IP_ADDRESS` with ip of external load balancer.\n\nThe output is similar to the following: \n\n {\n \"cluster_name\": \"gke-us\",\n \"host_header\": \"34.120.175.141\",\n \"pod_name\": \"whereami-deployment-954cbf78-mtlpf\",\n \"pod_name_emoji\": \"😎\",\n \"project_id\": \"my-project\",\n \"timestamp\": \"2021-11-29T17:01:59\",\n \"zone\": \"us-central1-b\"\n }\n\nWhat's next\n-----------\n\n- Read more about [Installing and upgrading gateways](/service-mesh/v1.24/docs/operate-and-maintain/gateways)"]]
