-
To secure multiple domains, configure separate listeners for each domain with their respective certificates as shown in the following example:
apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: tls-basic namespace: openshift-ingress spec: gatewayClassName: openshift-default listeners: - name: app1-https protocol: HTTPS port: 443 hostname: app1.example.com tls: mode: Terminate certificateRefs: - kind: Secret group: "" name: app1-example-com-cert - name: app2-https protocol: HTTPS port: 443 hostname: app2.example.com tls: mode: Terminate certificateRefs: - kind: Secret group: "" name: app2-example-com-cert -
To secure wildcard domains, configure a single listener with a wildcard certificate:
apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: wildcard-gateway namespace: openshift-ingress spec: gatewayClassName: openshift-default listeners: - name: wildcard-https protocol: HTTPS port: 443 hostname: "+++*+++.example.com" tls: mode: Terminate certificateRefs: - kind: Secret group: "" name: wildcard-certYou can configure both specific domain listeners and wildcard listeners on the same
GatewayCR. Specific matches happen before wildcard matches, so a request toapp1.example.comuses the specific certificate rather than the wildcard certificate. -
To secure all domains, configure a listener that listens for all routes regardless of hostname as shown in the following example:
apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: default-gateway namespace: openshift-ingress spec: gatewayClassName: openshift-default listeners: - name: all-https protocol: HTTPS port: 443 tls: mode: Terminate certificateRefs: - kind: Secret group: "" name: default-cert -
To use a
Secretobject in a different namespace, configure your listener and create a correspondingReferenceGrantCR as shown in the following example:apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: cross-namespace-example namespace: example-ns1 spec: gatewayClassName: openshift-default listeners: - name: https protocol: HTTPS port: 443 hostname: "+++*+++.example.com" tls: mode: Terminate certificateRefs: - kind: Secret group: "" name: wildcard-cert namespace: example-ns2 --- apiVersion: gateway.networking.k8s.io/v1beta1 kind: ReferenceGrant metadata: name: allow-ns1-reference namespace: example-ns2 spec: from: - group: gateway.networking.k8s.io kind: Gateway namespace: example-ns1 to: - group: "" kind: SecretUnlike standard OKD routes that use namespace-wide annotations for cross-namespace permissions, Gateway API uses the
ReferenceGrantCR to authorize access. ThisReferenceGrantCR gives access from theGatewayCR in one namespace to theSecretobject in another namespace.