From 1dbd98cdb78c1c023686b0deeb8dc7950e1c4f93 Mon Sep 17 00:00:00 2001 From: Zijun Wang Date: Fri, 14 Jun 2024 11:14:20 -0700 Subject: [PATCH] Address PR comments --- docs/api-types/tls-route.md | 8 +++--- docs/guides/tls-passthrough.md | 49 +++++----------------------------- 2 files changed, 11 insertions(+), 46 deletions(-) diff --git a/docs/api-types/tls-route.md b/docs/api-types/tls-route.md index a4cb2791..50569b15 100644 --- a/docs/api-types/tls-route.md +++ b/docs/api-types/tls-route.md @@ -7,10 +7,10 @@ This allows you to define and manage end-to-end TLS encrypted traffic routing to ### Considerations -- `TLSRoute` sectionName must refer to an `TLS` protocol listener with `mode: Passthrough` in the parentRefs `Gateway`. +- `TLSRoute` sectionName must refer to a `TLS` protocol listener with `mode: Passthrough` in the parentRefs `Gateway`. - `TLSRoute` only supports to have one rule. -- `TLSRoute` doesn't support any rule matching condition. -- The `hostnames` field with exactly one host name is required. This domain name is used as a vpc lattice's Service Name Indication (SNI) match to route the traffic to the correct backend service. +- `TLSRoute` does not support any rule matching condition. +- The `hostnames` field with exactly one host name is required. ## Example Configuration @@ -47,7 +47,7 @@ In this example: mode: Passthrough ``` - The `TLSRoute` is configured to route traffic to a k8s service named `nginx-tls` on port 443. -- The `hostnames` field is set to `nginx-test.my-test.com`. The customer must use this domain name to send traffic to the nginx service. +- The `hostnames` field is set to `nginx-test.my-test.com`. The customer must use this hostname to send traffic to the nginx service. For the detailed tls passthrough traffic connectivity setup, please refer the user guide [here](../guides/tls-passthrough.md). diff --git a/docs/guides/tls-passthrough.md b/docs/guides/tls-passthrough.md index a9746abd..b771d476 100644 --- a/docs/guides/tls-passthrough.md +++ b/docs/guides/tls-passthrough.md @@ -20,7 +20,7 @@ tlsroutes.gateway.networking.k8s.io 2024-03-07T23:16:22Z ### 1. Configure TLS Passthrough Listener on Gateway ``` -kubectl apply -f files/examples/gateway-tls-passthrough.yaml +kubectl apply -f files/examples/my-gateway-tls-passthrough.yaml ``` ``` @@ -96,44 +96,12 @@ kubectl get deployment nginx-tls NAME READY UP-TO-DATE AVAILABLE AGE nginx-tls 2/2 2 2 1d +# Use the specified TLSRoute hostname to send traffic to the beackend nginx service kubectl exec deployments/parking -- curl -kv https://nginx-test.my-test.com --resolve nginx-test.my-test.com:443:169.254.171.0 * Trying 169.254.171.0:443... * Connected to nginx-test.my-test.com (169.254.171.0) port 443 (#0) -* ALPN, offering h2 -* ALPN, offering http/1.1 -* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH -* successfully set certificate verify locations: -* CAfile: /etc/pki/tls/certs/ca-bundle.crt -* CApath: none -* TLSv1.2 (OUT), TLS header, Certificate Status (22): -* TLSv1.2 (OUT), TLS handshake, Client hello (1): -* TLSv1.2 (IN), TLS handshake, Server hello (2): -* TLSv1.2 (IN), TLS handshake, Certificate (11): -* TLSv1.2 (IN), TLS handshake, Server key exchange (12): -* TLSv1.2 (IN), TLS handshake, Server finished (14): -* TLSv1.2 (OUT), TLS handshake, Client key exchange (16): -* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): -* TLSv1.2 (OUT), TLS handshake, Finished (20): -* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): -* TLSv1.2 (IN), TLS handshake, Finished (20): -* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 -* ALPN, server accepted to use h2 -* Server certificate: -* subject: C=US; ST=wa; L=seattle; O=aws; OU=lattice; CN=liwen.ssl-test.com; emailAddress=liwenwu@amazon.com -* start date: Mar 5 21:26:24 2024 GMT -# use customer defined name -curl -k -v https://nginx-test.my-test.com --resolve nginx-test.my-test.com:443:169.254.171.32 -* Added nginx-test.my-test.com:443:169.254.171.32 to DNS cache -* Hostname nginx-test.my-test.com was found in DNS cache -* Trying 169.254.171.0:443... -* Connected to nginx-test.my-test.com (169.254.171.0) port 443 (#0) -* ALPN, offering h2 -* ALPN, offering http/1.1 -* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH -* successfully set certificate verify locations: -* CAfile: /etc/pki/tls/certs/ca-bundle.crt -* CApath: none +.... * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): @@ -142,14 +110,11 @@ curl -k -v https://nginx-test.my-test.com --resolve nginx-test.my-test.com:443:1 * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): -* TLSv1.2 (OUT), TLS handshake, Finished (20): +* TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): -* TLSv1.2 (IN), TLS handshake, Finished (20): +* TLSv1.2 (IN), TLS handshake, Finished (20): <---------- TLS Handshake from client pod to the backend `nginx-tls` pod successfully, no tls termination in the middle * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server accepted to use h2 -* Server certificate: -* subject: C=US; ST=wa; L=seattle; O=aws; OU=lattice; CN=liwen.ssl-test.com; emailAddress=liwenwu@amazon.com - ....

Welcome to nginx!

@@ -174,7 +139,7 @@ kubectl apply -f files/examples/parking.yaml kubectl apply -f files/examples/tls-rate1.yaml ``` -### 3. Configure ServieExport with TargetGroupPolicy `protocol:TCP` in cluster-2 +### 3. Configure ServiceExport with TargetGroupPolicy `protocol:TCP` in cluster-2 ``` # Create tls-rate2 Kubernetes Service in cluster-2 @@ -212,7 +177,7 @@ spec: kubectl apply -f files/examples/tls-rate2-import.yaml ``` -### 5. Configure TLSRoute for bluegreen deployment +### 5. Configure TLSRoute for blue/green deployment ``` kubectl apply -f files/examples/rate-tlsroute-bluegreen.yaml