TLS over TCP using Kubernetes Gateway API

edgeflare · March 8, 2023, 7:16pm

I'm trying to route TCP (MQTT) traffic over TLS using the Kubernetes Gateway API. With below configurations, I can route plain TCP and HTTPS traffic.
Add CLI arguments to enable gateway.

      - "--experimental.kubernetesgateway=true"
      - "--providers.kubernetesgateway=true"
      - "--entrypoints.mqtt.address=:1883/tcp"  # TCP
      - "--entrypoints.mqtts.address=:8883/tcp" # TLS

Create LoadBalancer Service for gateway ports

apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/name: traefik
  name: traefik-gateway
  namespace: kube-system
spec:
  ports:
  - name: tcp
    port: 1883
    protocol: TCP
    targetPort: 1883
  - name: tls
    port: 8883
    protocol: TCP
    targetPort: 8883
  selector:
    app.kubernetes.io/name: traefik
  type: LoadBalancer

Create a GatewayClass and Gateway

apiVersion: gateway.networking.k8s.io/v1beta1
kind: GatewayClass
metadata:
  name: traefik
spec:
  controllerName: traefik.io/gateway-controller
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: traefik-mqtt
spec:
  gatewayClassName: traefik
  listeners:
  - allowedRoutes:
      namespaces:
        from: All
    name: mqtt-tcp
    port: 1883
    protocol: TCP
  - allowedRoutes:
      namespaces:
        from: All
    hostname: mqtt.mydomain.com
    name: mqtt-tls
    port: 8883
    protocol: TLS
    tls:
      mode: Terminate
      certificateRefs:
      - group: core
        kind: Secret
        name: mqtt-tls

Create TCPRoutes, one for plain TCP and another for terminated TLS

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TCPRoute
metadata:
  name: mqtt-tcp
spec:
  parentRefs:
  - group: gateway.networking.k8s.io
    kind: Gateway
    name: traefik-mqtt
    sectionName: mqtt-tcp
  rules:
  - backendRefs:
    - group: ""
      kind: Service
      name: emqx
      port: 1883
      weight: 1
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TCPRoute
metadata:
  name: mqtt-tls
spec:
  parentRefs:
  - group: gateway.networking.k8s.io
    kind: Gateway
    name: traefik-mqtt
    sectionName: mqtt-tls
  rules:
  - backendRefs:
    - group: ""
      kind: Service
      name: emqx
      port: 1883
      weight: 1

I can now publish a message on TCP port 1883

mosquitto_pub -h mqtt.mydomain.com -p 1883 -t greet -m hello -d

But changing the port to 8883 (TLS) doesn't work. Instead it gets stuck in

Client (null) sending CONNECT

What am I missing here?

Topic		Replies	Views
IngressRouteTCP with TLS backend Traefik v2 kubernetes-crd	0	501	May 17, 2021
Hosting a HTTP-App on a custom TCP-Port with TLS Traefik v2 kubernetes-crd , kubernetes-ingress , tcp	1	1299	March 25, 2022
Traefik as a loadbalancer for kube-apiserver Traefik v2 file , tcp	1	790	May 21, 2020
TCP on Kubernetes Traefik v2 kubernetes-ingress	20	12874	September 18, 2022
Route TCP request to my service via traefik2 Traefik v2 kubernetes-ingress , tcp	0	306	June 29, 2023

TLS over TCP using Kubernetes Gateway API

Related topics