Skip to content

TLSRoute API Reference

Introduction

With integration of the Gateway API, AWS Gateway API Controller supports TLSRoute. This allows you to define and manage end-to-end TLS encrypted traffic routing to your Kubernetes clusters.

Considerations

  • TLSRoute sectionName must refer to a TLS protocol listener with mode: Passthrough in the parentRefs Gateway. The tls.mode field must be explicitly set on the listener.
  • TLSRoute only supports exactly one rule.
  • Each rule must have at least one backendRef.
  • TLSRoute does not support any rule matching condition.
  • The hostnames field with exactly one host name is required. IP addresses are not allowed.

Example Configuration

Here is a sample configuration that demonstrates how to set up a TLSRoute resource to route end-to-end TLS encrypted traffic to a nginx service:

apiVersion: gateway.networking.k8s.io/v1
kind: TLSRoute
metadata:
  name: nginx-tls-route
spec:
  hostnames:
    - nginx-test.my-test.com
  parentRefs:
    - name: my-hotel-tls-passthrough
      sectionName: tls
  rules:
    - backendRefs:
        - name: nginx-tls
          kind: Service
          port: 443

In this example:

  • The TLSRoute is named nginx-tls-route and is associated with a parent gateway named my-hotel-tls-passthrough that has a listener section named tls: 
        - name: tls
      protocol: TLS
      port: 443
      tls:
        mode: Passthrough
  • The TLSRoute is configured to route traffic to a k8s service named nginx-tls on port 443.
  • The hostnames field is set to nginx-test.my-test.com. The customer must use this hostname to send traffic to the nginx service.

Cross-Cluster Routing with ServiceImport

TLSRoute supports routing to services in other clusters via ServiceImport. The remote cluster must export the service using a ServiceExport with routeType: TLS.

apiVersion: gateway.networking.k8s.io/v1
kind: TLSRoute
metadata:
  name: nginx-tls-route
spec:
  hostnames:
    - nginx-test.my-test.com
  parentRefs:
    - name: my-hotel-tls-passthrough
      sectionName: tls
  rules:
    - backendRefs:
        - name: nginx-tls
          kind: ServiceImport

For the detailed tls passthrough traffic connectivity setup, please refer the user guide here.

For the detailed Gateway API TLSRoute resource specifications, you can refer to the Kubernetes official documentation.

For the VPC Lattice tls passthrough Listener configuration details, you can refer to the VPC Lattice documentation.