0

I have a EKS cluster configured with Iitio ingress gateway and my dns domain (test.com) is hosted in route53. I would like to generate the Letsencrypt certificate for my domain. I'm using the following version certmanager(0.14.1), Istio (1.6), Kubernetes (1.17). Can you please provide me the list of steps to be followed.

techgiant
  • 1
  • 1

2 Answers2

1

I am not much aware on how the setup has to be done for istio, but for ingress it's the following way, hope the same should work there too.

You can download the cert-manager helm chart from here and then you have to create the ingress rules for traffic routing, and for doing the TLS termination there you can follow this stackoverflow link

Kindly use

apiVersion: cert-manager.io/v1alpha2

in clusterissuer, if the apiVersion for clusterIssuer present in that stackoverflow post is not acceptable

Tushar Mahajan
  • 2,044
  • 1
  • 7
  • 18
0

There is related documentation about integration cert-menager and istio.

cert-manager

Configuration

Consult the cert-manager installation documentation to get started. No special changes are needed to work with Istio.

Usage

Istio Gateway cert-manager can be used to write a secret to Kubernetes, which can then be referenced by a Gateway. To get started, configure a Certificate resource, following the cert-manager documentation. The Certificate should be created in the same namespace as the istio-ingressgateway deployment. For example, a Certificate may look like:

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: ingress-cert
  namespace: istio-system
spec:
  secretName: ingress-cert
  commonName: my.example.com
  dnsNames:
  - my.example.com
  ...

Once we have the certificate created, we should see the secret created in the istio-system namespace. This can then be referenced in the tls config for a Gateway under credentialName:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: ingress-cert # This should match the Certifcate secretName
    hosts:
    - my.example.com # This should match a DNS name in the Certificate

Kubernetes Ingress

cert-manager provides direct integration with Kubernetes Ingress by configuring an annotation on the Ingress object. If this method is used, the Ingress must reside in the same namespace as the istio-ingressgateway deployment, as secrets will only be read within the same namespace.

Alternatively, a Certificate can be created as described in Istio Gateway, then referenced in the Ingress object:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress
  annotations:
    kubernetes.io/ingress.class: istio
spec:
  rules:
  - host: my.example.com
    http: ...
  tls:
  - hosts:
    - my.example.com # This should match a DNS name in the Certificate
    secretName: ingress-cert # This should match the Certifcate secretName

Additionally there is an example made by @chrisnyc on istio discuss.

Hope you find this useful.

Jakub
  • 8,189
  • 1
  • 17
  • 31