Secure service using SSL on EnRoute Standalone Gateway

Secure service using SSL on EnRoute Standalone Gateway

January 21, 2021

EnRoute Universal Gateway

EnRoute Universal Gateway is a flexible API gateway built to support traditional and cloud-native use cases. It is designed to run either as an Kubernetes Ingress Gateway, Standalone Gateway, Horizontally scaling L7 API gateway or a Mesh of Gateways. EnRoute can support a wide range of [topologies](/blog/enroute-topologies/). Depending on the need of the user, the environment, the application, either one or many of these solutions can be deployed.

A consistent policy framework across all these network components makes the EnRoute Universal Gateway a versatile and powerful solution.

This article covers how to get started with the EnRoute Standalone Gateway.

To get a more detailed understanding of EnRoute Universal Gateway refer to the article here

What this article covers.

Setting up EnRoute gateway is shown in four simple steps. This is the second step where a SSL certificate is attached to a service object to terminate SSL traffic.

Create SSL Certificate

We use python to create a listening server that will respond to requests used in this example.

    openssl req -new -newkey rsa:2048 -days 36500 -nodes -x509 \
        -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=enroute.local" \
        -keyout enroute.local.key -out enroute.local.cert

You can inspect the certificate

    openssl x509 -in enroute.local.cert -text -noout

Create secret

The secret object holds the created key and certificate. A secret object can be associated with a service object.

Create the secret object

curl -s -X POST localhost:1323/secret -d "Secret_Name"="enroute_secret"

Populate the key in the secret object with the key created in earlier step

curl -s -X POST localhost:1323/secret/enroute_secret/key -F Secret_key=@enroute.local.key

Populate the cert in the secret object with the cert created in earlier step

curl -s -X POST localhost:1323/secret/enroute_secret/cert -F Secret_cert=@enroute.local.cert

Show secret object

curl -s localhost:1323/secret
{
  "data": {
    "saaras_db_secret": [
      {
        "secret_name": "enroute_secret",
        "secret_key": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCzYQxOQ52N47Ls\nUaTY11OrM5LrTwchE9R2DHXjGMYM3nI7j8cAOQP+S1/9nZXqBSa5PH0rt0AZFMj3\nhoZb6TZJpuguaVTEc80NL+peFeKAwxx7Em1vQz38QRfmxL0TIkCG4rKeGCmVeoLq\nBCLasWhzNYUh0lXBCWP6tRSEddV/6dcGvI3mkriKcKkFzkCXt1fkKogQy8/69Ees\n6AI2l5HpUw+opvLDoyHi7/Nw0ElZQZ2e7T763LqBk6dsX16v1MSI4CFJLo8EPcJu\ndnOTOSnnX5chGDV4qGG/AcWIyLhMWiKllywJAys3/GL1xCTJmfREnpGExVfhpRgk\ny8M6pZpvAgMBAAECggEAUbcRIwocWQn0dUFQJlQZUnFhKX7L0Z6197z/ax/bAPvI\n8Cc0UX6nug1eQiuqonwMQvAyWVrWgVZ9on0O8gnQaEb3mET1j7TtIWfFjWzMzTmU\n3N/tKHVqZGLG36KaO4AsAwZ8thZtwyGXR8Hwms2ctncYGes2k4SSniAlo54GT4lT\nv8/jIZjnYfo49c4vjwCUlaQR2gPJpXinJFuGw0ubM6/nljEpWnQP+NnxBRcg9qI/\ndg5GJrO3e8FGwN/wTkT4P2ARMhrsFM6annzXupol2jJ4+uApMLH76ACx6Zs1IyFe\nihii6ddaBNepSr7n7Tw8qk6SXizIwE8t3G5TDP4C4QKBgQDuw9UomdmeTi0XASay\n6033f3ns6S0xxgW3WdrCGa8Pu46QufjC1jf77zzU3JVELlqaoNJWg4juGtv9lhKC\nMexPU05kOyh2a0pjs2gaUCdQimhceV89rskkR5P4ZxC7sWt921te3+xGSJyXP9L5\nfIfcj2PDSfydHEXcZEpuPAsYcQKBgQDAU9EEGbYeXpVmaBhPAeR0MMopy6Qb15n3\n4/fl8Sx3ys4dSC1zC6ZPgY2QInEkyxyabdzKZQNDNZYFLKI9Iuj+XlKQLnYQXjUi\niyUR6oB8TFG+MqZeYOGGP9VeQdseq36MaGtqxPfSCww5jNU32nNBF/3x0S81FuJq\n36xFNthQ3wKBgBnmSkgGMFH4vvFg4ZbE6YcwX8RwIsPkbBhQeedWK+Qz/yn50l8o\nJ5h/ggTBDLwBnzhou4hA6miRp01hqw5OZgjQy48Zz7DQwJgCDQfVq/4TlXB6hfdF\n73GtBgMLAwipHTTgx4+KELIrDDln5fXEKWSmdTbo3qsYNwfKJTzB7J4xAoGBAJR1\n3sl4g3GL9212exU507yxEM0UihiH5C1LR0ezVG0gGtzVo2fEHVwQGFOjko0hUHIQ\nzjdZpBwUWDqkSpRAx3PbIYZ0puRZpFCG8lWTHB1W2F6mQHBn/o6f5bd9xIQ3Q1dl\nH03qv5Xeu1ANW2Vi9kbQG1G39OXZRWvUPumqvW4nAoGBAKs0TMp552/bDY0NNKC4\nrKKGRwdKSnOOmtZ0LEswrg3JZ954xc/34MW0tE075f6sh9f4lyDEEtv2M3kd/XHc\ntgT2E+WptvlYjBJgYvttOHIhUR7q/3moSQT3DXgmarFMIs6vi09yDQ/NRhjpzslp\nbkg3EYj0bFap3zLPztVKdV3M\n-----END PRIVATE KEY-----\n",
        "secret_cert": "-----BEGIN CERTIFICATE-----\nMIIDfTCCAmWgAwIBAgIJAJR+zXbCQrERMA0GCSqGSIb3DQEBCwUAMFQxCzAJBgNV\nBAYTAlVTMQ8wDQYDVQQIDAZEZW5pYWwxFDASBgNVBAcMC1NwcmluZ2ZpZWxkMQww\nCgYDVQQKDANEaXMxEDAOBgNVBAMMB2Vucm91dGUwIBcNMjEwMTI1MDUzODI4WhgP\nMjEyMTAxMDEwNTM4MjhaMFQxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZEZW5pYWwx\nFDASBgNVBAcMC1NwcmluZ2ZpZWxkMQwwCgYDVQQKDANEaXMxEDAOBgNVBAMMB2Vu\ncm91dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzYQxOQ52N47Ls\nUaTY11OrM5LrTwchE9R2DHXjGMYM3nI7j8cAOQP+S1/9nZXqBSa5PH0rt0AZFMj3\nhoZb6TZJpuguaVTEc80NL+peFeKAwxx7Em1vQz38QRfmxL0TIkCG4rKeGCmVeoLq\nBCLasWhzNYUh0lXBCWP6tRSEddV/6dcGvI3mkriKcKkFzkCXt1fkKogQy8/69Ees\n6AI2l5HpUw+opvLDoyHi7/Nw0ElZQZ2e7T763LqBk6dsX16v1MSI4CFJLo8EPcJu\ndnOTOSnnX5chGDV4qGG/AcWIyLhMWiKllywJAys3/GL1xCTJmfREnpGExVfhpRgk\ny8M6pZpvAgMBAAGjUDBOMB0GA1UdDgQWBBQrbdLP0vEthm7MGWD541CS+V5mDDAf\nBgNVHSMEGDAWgBQrbdLP0vEthm7MGWD541CS+V5mDDAMBgNVHRMEBTADAQH/MA0G\nCSqGSIb3DQEBCwUAA4IBAQBwWXgP6d/bSd7DnPIT39yl8WTpCE9fgZ8/OQ5ALRRO\nWUo63HtUkzKi+SNLgoQij0BRw+wSZaA54o9HP/SPHoNmbSD3kxe9BBo39js3GjV3\nC8sVyXU6a+IY3OhTcESAJIL8WAk5qLxliCook1Bnj7VLWI9KF/tJl8FDQpvejBhS\neP4T6A2b7GLMkZGnVcPF2qH6QF4J/a4mKF4p8tRlFqBVWe3/NQwRRLtUDCheTtBL\neHWdJCm2if0ZYJ9XyvDpNR875PgXShAHJswluA3CWVXGOm57IXtILO0HIYR4LVKf\nnVgXkk/lLgjFl4mRUUnIakB76JTOgDC/dNhDDwKbg0MZ\n-----END CERTIFICATE-----\n",
        "secret_sni": "",
        "create_ts": "2021-01-25T05:38:46.61474+00:00",
        "update_ts": "2021-01-25T05:40:27.931632+00:00"
      }
    ]
  }
}

Attach the secret to the service

Note that the service demo was created in the first step when EnRoute standalone gateway was setup.

curl -s -X POST localhost:1323/service/demo/secret/enroute_secret
Update fqdn on service
curl -X PATCH "http://localhost:1323/service/demo" -d 'fqdn=enroute.local'
Dump service
curl -s localhost:1323/service/dump/demo
Send traffic

Send a request to the listener

curl -k -vvv https://enroute.local:8443 --resolve enroute.local:8443:127.0.0.1
Check envoy stats
curl -k -vvv http://localhost:9001/stats

Next steps

EnRoute standalone gateway provides simple APIs to configure Envoy proxy. Additionally you can -