1、创建ssl的secret

kubectl -n ${your_namespace} create secret tls ${your_secret_name} \
  --cert=path/to/tls.crt \
  --key=path/to/tls.key 

2、gateway模板

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: eg-gateway
  namespace: eg-demo
spec:
  gatewayClassName: eg                    #gateway控制器的名称，这里是envoy gateway，如果是ngf，默认nginx
  listeners:
    - name: https                         #httproute需要同步name
      protocol: HTTPS                     #HTTPS协议
      port: 443                           #HTTPS端口
      hostname: "gatewayapi.demo.com"     #关键:指定该证书覆盖的域名(支持通配符)
      tls:                                #TLS配置块
        mode: Terminate                   #表示TLS连接在Gateway处终止
        certificateRefs:
        - kind: Secret
          name: gatewayapi-ssl-secret     #引用上面创建的secret
          group: ""                       #group，通常留空

3、httproute

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: http-route
  namespace: eg-demo                  #指定Gateway所在的命名空间
spec:
  parentRefs:
    - name: eg-gateway                #指定gateway的name
      sectionName: https              #指定上述的Listener的name，为https
  hostnames:
    - "gatewayapi.demo.com"           #指定host
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: / 
      backendRefs:
        - name: dev-demo-canary       #写入后端service
          kind: Service
          port: 8080
          weight: 90
        - name: dev-demo-prod         #写入后端service
          kind: Service
          port: 8080
          weight: 10

4、验证https