1

I am trying to enable HTTPS on my Istio Ingress Gateway after installing the service mesh, gateway, and applying a routing policy. The initial Istio installation was done using a profile which includes an istio-ingressgateway service. When I do it this way, it creates the ingress gateway as a Kind: Service instead of a Kind: Gateway.

I looked at this: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ But, the tutorial only describes how to apply the certificate to a Gateway kind and not a Service kind.

What is the proper way to apply the SSL certificate to an ingress gateway service or is there a better way to approach this?

Istio Profile YAML

Thanks for your help!

EDIT: Problem Solved.

I went back through the tutorial last night after going down the path of trying to create a clusterIssuer and installing cert manager etc with poor results (The certificate never got accepted by the Certificate Authority for some reason so I only had the key file and an empty cert file). It ended up being easier to create my own certificate.

The issue was that I was referencing the TLS port in my virtual service when I only needed to point towards the port of the service where I was trying to send traffic from the gateway.

This article helped me understand better: Secure Ingress -Istio By Example along with the official Istio Secure-Ingress tutorial I linked above already.

From there I just created a new secret, ran a script that creates a working certificate (basically just a bash script that follows the steps from the Istio tutorial), and then made sure the credential name in my gateway file matched the new secret I created.

Zac
  • 59
  • 1
  • 2
  • 11
  • does the load balancer accept certificates? if so, apply it as normal. – suren Jun 26 '20 at 03:30
  • What is the normal way though? I followed the tutorial but it doesn't seem to work. For more context, when trying to curl the external IP for the istio-ingressgateway loadbalancer, this is the response: `LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to [EXTERNAL IP]` – Zac Jun 26 '20 at 13:56
  • 1
    The normal way would be to set up an external LB pointing to istio-ingressgateway; with TLS termination on the LB. The certs would be stored in the LB, and further connection would go on HTTP. – suren Jun 28 '20 at 07:04

3 Answers3

3

when you deployed the istio setup, it will create

  • kind: Service, istio-ingressgateway
  • kind: deployemnt , istio-ingressgateway

then you can create the below with https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/, this will configure your ssl.

  • kind: Secret, in namespace: istio-system
  • kind: gateway, with the above secrets in it referred.
  • kind: Virtual Service, linked to this gateway , and dest. application.
Nadeem Hussain
  • 176
  • 3
1

Some concepts are slightly confused:

  • The Gateway custom resource will configure the istio-ingressgateway, meanwhile
  • The Kubernetes Service will create an externally accessible IP.

Using the externally accessible IP, the traffic will be sent to the istio-ingressgateway, where your certificates are configured using the Gateway CR and you will have an HTTPS connection.

Rinor
  • 1,790
  • 13
  • 22
0

I recommend you to simply follow the below mentioned steps -

Install cert-manager from here using the steps those are helm chart based

The you can follow this stackoverflow post

Note that - you need not create the tls secret here, cert-manager will auto create the secret by name mentioned in your certificate, cert-manager will carryout acme challenge once you patch the secret name to TLS and once it gets successful, the certificate acquires ready state.

use

cert-manager.io/v1alpha2

this api version in cluster issuer, if the one mentioned there only is not acceptable

Tushar Mahajan
  • 2,044
  • 1
  • 7
  • 18