4

Using GKE with integrated istio, is it possible to use a google managed certificate for the ingress gateway?

When the cluster is created, the ingress is already present. I don't see how to inject other than by managing a secret and linking to the Istio gateway.

Is this a good way or do you know something simpler?

halfer
  • 19,824
  • 17
  • 99
  • 186
unludo
  • 4,912
  • 7
  • 47
  • 71

1 Answers1

2

Managing certs via optional secret (named: istio-ingressgateway-ca-certs) is a recommended way by Istio, as described here. The Istio gateway will load the secret automatically.

You can also do a re-deployment of default istio-ingressgateway with new certificates, aided with helm tool (guide link here)

Official GCP documentation suggests also in that terms, to create a new ingress resources (see Adding gateways paragraph), to avoid any customizations done to default Istio-GKE being wiped out during auto upgrades.

So the other option for you, is to create a custom-ingress-gateway with Google Managed certs, and link it later in Virtual Services, as explained in this blog post. To ease creation of manifest file for custom ingress-gateway you can also use helm template command* from guide link above - "Redeploy istio-ingressgateway with the new certificates".

*Don't forget about changing its name in metadata in resulting file.

Nepomucen
  • 4,449
  • 3
  • 9
  • 24
  • thanks for your answer. Actually still strugling on this. Apparently there is no way for Istio to know that the cert has been updated (https://medium.com/@prune998/istio-1-0-2-envoy-cert-manager-lets-encrypt-for-tls-certificate-merge-7a774bff66c2). – unludo May 15 '19 at 13:26
  • For "custom-ingress-gateway" does this mean I can map a Virtual Service directly to an Ingress? – Jackie Mar 03 '22 at 16:26