Expose the UI via HTTPS

Before you begin link

1. Follow the Get started guide to install Gloo Gateway.

2. Set up the Gloo UI.

3. Make sure that you have the OpenSSL version of openssl, not LibreSSL. The openssl version must be at least 1.1.

   1. Check your openssl version. If you see LibreSSL in the output, continue to the next step.

        openssl version
        

   2. Install the OpenSSL version (not LibreSSL). For example, you might use Homebrew.

        brew install openssl
        

   3. Review the output of the OpenSSL installation for the path of the binary file. You can choose to export the binary to your path, or call the entire path whenever the following steps use an openssl command.
      • For example, openssl might be installed along the following path: /usr/local/opt/openssl@3/bin/
      • To run commands, you can append the path so that your terminal uses this installed version of OpenSSL, and not the default LibreSSL. /usr/local/opt/openssl@3/bin/openssl req -new -newkey rsa:4096 -x509 -sha256 -days 3650...

Create a TLS certificate link

Create a TLS certificate that you use to secure your HTTPS listener.

1. Create a directory to store your TLS credentials in.

     mkdir example_certs
     

2. Create a self-signed root certificate. The following command creates a root certificate that is valid for a year and can serve any hostname. You use this certificate to sign the server certificate for the gateway later. For other command options, see the OpenSSL docs.

     # root cert
   openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=any domain/CN=*' -keyout example_certs/root.key -out example_certs/root.crt
     

   notifications

   When generating your Envoy certificates, make sure to use encryption algorithms that are supported in Envoy. To learn more about supported algorithms that you can use for your certificates and keys, see the Envoy documentation.

3. Use the root certificate to sign the gateway certificate.

     openssl req -out example_certs/gateway.csr -newkey rsa:2048 -nodes -keyout example_certs/gateway.key -subj "/CN=*/O=any domain"
   openssl x509 -req -sha256 -days 365 -CA example_certs/root.crt -CAkey example_certs/root.key -set_serial 0 -in example_certs/gateway.csr -out example_certs/gateway.crt
     

4. Create a Kubernetes secret to store your server TLS certificate. You create the secret in the same cluster and namespace that the gateway is deployed to. Optionally, you can label the secret to make it easier to refer to later.

     kubectl create secret tls -n gloo-system https \
     --key example_certs/gateway.key \
     --cert example_certs/gateway.crt
   kubectl label secret https gateway=https --namespace gloo-system
     

Expose the UI on a gateway link

1. Create a Gateway resource and configure an HTTPS listener.

     kubectl apply -f- <<EOF
   apiVersion: gateway.networking.k8s.io/v1
   kind: Gateway
   metadata:
     name: https-ui
     namespace: gloo-system
     labels:
       gateway: https-ui
   spec:
     gatewayClassName: gloo-gateway-v2
     listeners:
       - name: https
         port: 443
         protocol: HTTPS
         hostname: ui.example.com
         tls:
           mode: Terminate
           certificateRefs:
             - name: https
               kind: Secret
         allowedRoutes:
           namespaces:
             from: All
   EOF
     

2. Create an HTTPRoute that routes incoming traffic on the / path prefix to the gloo-mesh-ui service, and attach it to the HTTPS gateway.

     kubectl apply -f- <<EOF
   apiVersion: gateway.networking.k8s.io/v1
   kind: HTTPRoute
   metadata:
     name: gloo-mesh-ui-http
     namespace: gloo-system
     labels:
       gateway: https-ui
   spec:
     parentRefs:
       - name: https-ui
         namespace: gloo-system
     rules:
      - backendRefs:
           - kind: gloo-mesh-ui
             port: 8090
        matches:
          - path:
              type: PathPrefix
              value: /
   EOF
     

3. To verify that the Gloo UI is reachable, send a request along the secured path.

   1. Get the external address of the gateway proxy and save it in an environment variable.

        export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-system https-ui -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}")
      echo $INGRESS_GW_ADDRESS   
        

   2. Send a request along the secured path for the Gloo UI and verify that you get back a 200 HTTP response code. Note that it might take a few seconds for the load balancer service to become fully ready and accept traffic.

      • Load balancer IP:

          curl -vik --resolve "ui.example.com:443:${$INGRESS_GW_ADDRESS}" https://ui.example.com:443/
          

      • Load balancer hostname:

          curl -vik --resolve "ui.example.com:443:$(dig +short $INGRESS_GW_ADDRESS | head -n1)" https://ui.example.com:443/
          

      Example output:

        * Added https.example.com:443:3.XX.XXX.XXX to DNS cache
      * Hostname https.example.com was found in DNS cache
      *   Trying 3.XX.XXX.XXX:443...
      * Connected to https.example.com (3.XX.XXX.XXX) port 443
      * ALPN: curl offers h2,http/1.1
      * (304) (OUT), TLS handshake, Client hello (1):
      * (304) (IN), TLS handshake, Server hello (2):
      * (304) (IN), TLS handshake, Unknown (8):
      * (304) (IN), TLS handshake, Certificate (11):
      * (304) (IN), TLS handshake, CERT verify (15):
      * (304) (IN), TLS handshake, Finished (20):
      * (304) (OUT), TLS handshake, Finished (20):
      * SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
      * ALPN: server accepted h2
      * Server certificate:
      *  subject: CN=*; O=any domain
      *  start date: Apr 15 17:15:37 2025 GMT
      *  expire date: Apr 15 17:15:37 2026 GMT
      *  issuer: O=any domain; CN=*
      *  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
      * using HTTP/2
      * [HTTP/2] [1] OPENED stream for https://ui.example.com:443/
      * [HTTP/2] [1] [:method: GET]
      * [HTTP/2] [1] [:scheme: https]
      * [HTTP/2] [1] [:authority: ui.example.com]
      * [HTTP/2] [1] [:path: /]
      * [HTTP/2] [1] [user-agent: curl/8.7.1]
      * [HTTP/2] [1] [accept: */*]
      > GET / HTTP/2
      > Host: https.example.com
      > User-Agent: curl/8.7.1
      > Accept: */*
      > 
      * Request completely sent off
      < HTTP/2 200 
      HTTP/2 200 
      ...
        

   3. Port-forward the HTTPS gateway proxy pod on port 443.

        kubectl port-forward svc/https-ui -n gloo-system 8443:443
        

   4. Send a request along the secured path for the Gloo UI and verify that you get back a 200 HTTP response code.

        curl -vik --connect-to ui.example.com:443:localhost:8443 https://ui.example.com:443/
        

      Example output:

        * Added https.example.com:443:3.XX.XXX.XXX to DNS cache
      * Hostname https.example.com was found in DNS cache
      *   Trying 3.XX.XXX.XXX:443...
      * Connected to https.example.com (3.XX.XXX.XXX) port 443
      * ALPN: curl offers h2,http/1.1
      * (304) (OUT), TLS handshake, Client hello (1):
      * (304) (IN), TLS handshake, Server hello (2):
      * (304) (IN), TLS handshake, Unknown (8):
      * (304) (IN), TLS handshake, Certificate (11):
      * (304) (IN), TLS handshake, CERT verify (15):
      * (304) (IN), TLS handshake, Finished (20):
      * (304) (OUT), TLS handshake, Finished (20):
      * SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
      * ALPN: server accepted h2
      * Server certificate:
      *  subject: CN=*; O=any domain
      *  start date: Apr 15 17:15:37 2025 GMT
      *  expire date: Apr 15 17:15:37 2026 GMT
      *  issuer: O=any domain; CN=*
      *  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
      * using HTTP/2
      * [HTTP/2] [1] OPENED stream for https://ui.example.com:443/
      * [HTTP/2] [1] [:method: GET]
      * [HTTP/2] [1] [:scheme: https]
      * [HTTP/2] [1] [:authority: ui.example.com]
      * [HTTP/2] [1] [:path: /]
      * [HTTP/2] [1] [user-agent: curl/8.7.1]
      * [HTTP/2] [1] [accept: */*]
      > GET / HTTP/2
      > Host: https.example.com
      > User-Agent: curl/8.7.1
      > Accept: */*
      > 
      * Request completely sent off
      < HTTP/2 200 
      HTTP/2 200 
      ...
        

4. To access the Gloo UI with you web browser, edit the /etc/hosts file on your local machine to map the IP address of the gateway proxy to the ui.example.com domain.

   1. Open the /etc/hosts file.

        sudo nano /etc/hosts
        

   2. Map the gateway proxy IP address to the ui.example.com domain. To retrieve the IP address that is assigned to your load balancer hostname, use dig +short $INGRESS_GW_ADDRESS | head -n1.

        <IP address or 127.0.0.1 for localhost>  ui.example.com
        

   3. Open the Gloo UI in your web browser.

        open https://ui.example.com:8443
        

      

      

Cleanup link

1. Remove the HTTPRoute and Gateway.

     kubectl delete httproute,gateway -A -l gateway=https-ui
     

2. Remove the Kubernetes secret that holds the TLS certificate.

     kubectl delete secret https -n gloo-system
     

3. Remove the example_certs directory that stores your TLS credentials.

     rm -rf example_certs