Proxy TCP traffic over TLS by SNI
Create a TCPRoute resource, which will then be converted in to a Kong Gateway Service and Route. TLS passthrough is not supported using TCPIngress.
Prerequisites
Kong Konnect
If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.
- The following Konnect items are required to complete this tutorial:
- Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
-
Set the personal access token as an environment variable:
export KONNECT_TOKEN='YOUR KONNECT TOKEN'
Enable the Gateway API
-
Install the experimental Gateway API CRDs before installing Kong Ingress Controller:
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/experimental-install.yaml -
Create a
GatewayandGatewayClassinstance to use.
echo "
apiVersion: v1
kind: Namespace
metadata:
name: kong
---
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: kong
annotations:
konghq.com/gatewayclass-unmanaged: 'true'
spec:
controllerName: konghq.com/kic-gateway-controller
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: kong
spec:
gatewayClassName: kong
listeners:
- name: proxy
port: 80
protocol: HTTP
allowedRoutes:
namespaces:
from: All
" | kubectl apply -n kong -f -
Create a KIC Control Plane
Use the Konnect API to create a new CLUSTER_TYPE_K8S_INGRESS_CONTROLLER Control Plane:
CONTROL_PLANE_DETAILS=$(curl -X POST "https://us.api.konghq.com/v2/control-planes" \
-H "Authorization: Bearer $KONNECT_TOKEN" \
--json '{
"name": "My KIC CP",
"cluster_type": "CLUSTER_TYPE_K8S_INGRESS_CONTROLLER"
}')
We’ll need the id and telemetry_endpoint for the values.yaml file later. Save them as environment variables:
CONTROL_PLANE_ID=$(echo $CONTROL_PLANE_DETAILS | jq -r .id)
CONTROL_PLANE_TELEMETRY=$(echo $CONTROL_PLANE_DETAILS | jq -r '.config.telemetry_endpoint | sub("https://";"")')
Create mTLS certificates
Kong Ingress Controller talks to Konnect over a connected secured with TLS certificates.
Generate a new certificate using openssl:
openssl req -new -x509 -nodes -newkey rsa:2048 -subj "/CN=kongdp/C=US" -keyout ./tls.key -out ./tls.crt
The certificate needs to be a single line string to send it to the Konnect API with curl. Use awk to format the certificate:
export CERT=$(awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' tls.crt);
Next, upload the certificate to Konnect:
curl -X POST "https://us.api.konghq.com/v2/control-planes/$CONTROL_PLANE_ID/dp-client-certificates" \
-H "Authorization: Bearer $KONNECT_TOKEN" \
--json '{
"cert": "'$CERT'"
}'
Finally, store the certificate in a Kubernetes secret so that Kong Ingress Controller can read it:
kubectl create namespace kong -o yaml --dry-run=client | kubectl apply -f -
kubectl create secret tls konnect-client-tls -n kong --cert=./tls.crt --key=./tls.key
Kong Ingress Controller running
-
Add the Kong Helm charts:
helm repo add kong https://charts.konghq.com helm repo update -
Install Kong Ingress Controller using Helm:
helm install kong kong/ingress -n kong --create-namespace --set controller.ingressController.env.feature_gates="GatewayAlpha=true" -
Set
$PROXY_IPas an environment variable for future commands:export PROXY_IP=$(kubectl get svc --namespace kong kong-gateway-proxy -o jsonpath='{range .status.loadBalancer.ingress[0]}{@.ip}{@.hostname}{end}') echo $PROXY_IP
Required Kubernetes resources
This how-to requires some Kubernetes services to be available in your cluster. These services will be used by the resources created in this how-to.
kubectl apply -f https://developer.konghq.com/manifests/kic/echo-service.yaml -n kong
Expose additional ports
Kong Gateway doesn’t include any TCP listen configuration by default. To expose TCP listens, update the Deployment’s environment variables and port configuration.
-
Set the
KONG_STREAM_LISTENenvironment variable and expose port9443in the Deployment:kubectl patch deploy -n kong kong-gateway --patch '{ "spec": { "template": { "spec": { "containers": [ { "name": "proxy", "env": [ { "name": "KONG_STREAM_LISTEN", "value": "0.0.0.0:9443 ssl" } ], "ports": [ { "containerPort": 9443, "name": "stream9443", "protocol": "TCP" } ] } ] } } } }'The
sslparameter after the 9443 listener instructs Kong Gateway to expect TLS-encrypted TCP traffic on that port. -
Update the proxy Service to indicate the new ports:
kubectl patch service -n kong kong-gateway-proxy --patch '{ "spec": { "ports": [ { "name": "stream9443", "port": 9443, "protocol": "TCP", "targetPort": 9443 } ] } }'
Generate a TLS certificate
-
Create a test certificate for the
tls9443.kong.examplehostname. This will be used to secure TLS traffic.Older OpenSSL versions, including the version provided with macOS Monterey, require using the alternative version of this command.
-
Create a Secret containing the certificate:
kubectl create secret -n kong tls tls9443.kong.example --cert=./server.crt --key=./server.key
Attach the TLS certificate to the echo service
The echo service does not listen on the TLS port by default as it requires a certificate stored in a Kubernetes Secret. Patch the echo deployment to mount the Secret in the pod and set the TLS_CERT_FILE and TLS_KEY_FILE environment variables to allow the echo service to terminate TLS:
kubectl patch -n kong --type=json deployment echo -p='[
{
"op":"add",
"path":"/spec/template/spec/containers/0/env/-",
"value":{
"name": "TLS_PORT",
"value": "1030"
}
},
{
"op":"add",
"path":"/spec/template/spec/containers/0/env/-",
"value":{
"name": "TLS_CERT_FILE",
"value": "/var/run/certs/tls.crt"
}
},
{
"op":"add",
"path":"/spec/template/spec/containers/0/env/-",
"value":{
"name": "TLS_KEY_FILE",
"value": "/var/run/certs/tls.key"
}
},
{
"op":"add",
"path":"/spec/template/spec/containers/0/volumeMounts",
"value":[{
"mountPath": "/var/run/certs",
"name": "secret-test",
"readOnly": true
}]
},
{
"op":"add",
"path":"/spec/template/spec/volumes",
"value":[{
"name": "secret-test",
"secret": {
"defaultMode": 420,
"secretName": "tls9443.kong.example"
}
}]
}
]'
Route TCP traffic
To reconcile the TLSRoute, configure an additional TLS listener on your Gateway resource:
kubectl patch -n kong --type=json gateway kong -p='[
{
"op":"add",
"path":"/spec/listeners/-",
"value":{
"name":"stream9443",
"port":9443,
"protocol":"TLS",
"hostname":"tls9443.kong.example",
"allowedRoutes": {
"namespaces": {
"from": "All"
}
},
"tls": {
"mode": "Passthrough",
"certificateRefs":[{
"group":"",
"kind":"Secret",
"name":"tls9443.kong.example"
}]
}
}
}
]'
Next, create a TLSRoute:
echo "apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
name: echo-tls
namespace: kong
spec:
parentRefs:
- name: kong
sectionName: stream9443
hostnames:
- tls9443.kong.example
rules:
- backendRefs:
- name: echo
port: 1030
" | kubectl apply -f -
This configuration instructs Kong Gateway to forward all traffic it receives on port 9000 to the echo service on port 1030.
Validate your configuration
You can now access the echo service on port 9443 with SNI tls9443.kong.example.
In real-world usage, you would create a DNS record for tls9443.kong.example pointing to your proxy Service’s public IP address, which causes TLS clients to add a SNI automatically. For this demo, add it manually using the OpenSSL CLI.
echo "hello" | openssl s_client -connect $PROXY_IP:9443 -servername tls9443.kong.example -quiet 2>/dev/null
Press Ctrl+C to exit.
The results should look like this:
Welcome, you are connected to node kind-control-plane.
Running on Pod echo-5f44d4c6f9-krnhk.
In namespace default.
With IP address 10.244.0.26.
hello
Cleanup
Delete created Kubernetes resources
kubectl delete -n kong -f https://developer.konghq.com/manifests/kic/echo-service.yaml
Uninstall KIC from your cluster
helm uninstall kong -n kong