Skip to content

Commit

Permalink
Address PR comments
Browse files Browse the repository at this point in the history
  • Loading branch information
Zijun Wang committed Jun 14, 2024
1 parent 15509b9 commit f0c8b08
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 40 deletions.
8 changes: 4 additions & 4 deletions docs/api-types/tls-route.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,10 @@ This allows you to define and manage end-to-end TLS encrypted traffic routing to

### Considerations

- `TLSRoute` sectionName must refer to an `TLS` protocol listener with `mode: Passthrough` in the parentRefs `Gateway`.
- `TLSRoute` sectionName must refer to a `TLS` protocol listener with `mode: Passthrough` in the parentRefs `Gateway`.
- `TLSRoute` only supports to have one rule.
- `TLSRoute` doesn't support any rule matching condition.
- The `hostnames` field with exactly one host name is required. This domain name is used as a vpc lattice's Service Name Indication (SNI) match to route the traffic to the correct backend service.
- `TLSRoute` does not support any rule matching condition.
- The `hostnames` field with exactly one host name is required.


## Example Configuration
Expand Down Expand Up @@ -47,7 +47,7 @@ In this example:
mode: Passthrough
```
- The `TLSRoute` is configured to route traffic to a k8s service named `nginx-tls` on port 443.
- The `hostnames` field is set to `nginx-test.my-test.com`. The customer must use this domain name to send traffic to the nginx service.
- The `hostnames` field is set to `nginx-test.my-test.com`. The customer must use this hostname to send traffic to the nginx service.


For the detailed tls passthrough traffic connectivity setup, please refer the user guide [here](../guides/tls-passthrough.md).
Expand Down
42 changes: 6 additions & 36 deletions docs/guides/tls-passthrough.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ tlsroutes.gateway.networking.k8s.io 2024-03-07T23:16:22Z
### 1. Configure TLS Passthrough Listener on Gateway

```
kubectl apply -f files/examples/gateway-tls-passthrough.yaml
kubectl apply -f files/examples/my-gateway-tls-passthrough.yaml
```

```
Expand Down Expand Up @@ -96,6 +96,7 @@ kubectl get deployment nginx-tls
NAME READY UP-TO-DATE AVAILABLE AGE
nginx-tls 2/2 2 2 1d
# Use the specified TLSRoute hostname to send traffic to the beackend nginx service
kubectl exec deployments/parking -- curl -kv https://nginx-test.my-test.com --resolve nginx-test.my-test.com:443:169.254.171.0
* Trying 169.254.171.0:443...
Expand All @@ -114,42 +115,11 @@ kubectl exec deployments/parking -- curl -kv https://nginx-test.my-test.com -
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20): <---------- TLS Handshake from client pod to the backend `nginx-tls` pod successfully, no tls termination in the middle
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=wa; L=seattle; O=aws; OU=lattice; CN=liwen.ssl-test.com; [email protected]
* start date: Mar 5 21:26:24 2024 GMT
# use customer defined name
curl -k -v https://nginx-test.my-test.com --resolve nginx-test.my-test.com:443:169.254.171.32
* Added nginx-test.my-test.com:443:169.254.171.32 to DNS cache
* Hostname nginx-test.my-test.com was found in DNS cache
* Trying 169.254.171.0:443...
* Connected to nginx-test.my-test.com (169.254.171.0) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=wa; L=seattle; O=aws; OU=lattice; CN=liwen.ssl-test.com; [email protected]
....
<body>
<h1>Welcome to nginx!</h1>
Expand All @@ -174,7 +144,7 @@ kubectl apply -f files/examples/parking.yaml
kubectl apply -f files/examples/tls-rate1.yaml
```

### 3. Configure ServieExport with TargetGroupPolicy `protocol:TCP` in cluster-2
### 3. Configure ServiceExport with TargetGroupPolicy `protocol:TCP` in cluster-2

```
# Create tls-rate2 Kubernetes Service in cluster-2
Expand Down Expand Up @@ -212,7 +182,7 @@ spec:
kubectl apply -f files/examples/tls-rate2-import.yaml
```

### 5. Configure TLSRoute for bluegreen deployment
### 5. Configure TLSRoute for blue/green deployment

```
kubectl apply -f files/examples/rate-tlsroute-bluegreen.yaml
Expand Down

0 comments on commit f0c8b08

Please sign in to comment.