Kubectl tls patch returning “not patched”

Question

I am trying to patch istio-ingressgateway service with ACM by the following


kubectl -n istio-system patch service istio-ingressgateway -p "$(cat<<EOF
metadata:
  name: istio-ingressgateway
  namespace: istio-system
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:xx-xxxx-1:123456789:certificate/xxxx-xxx-xxxxxxxxxxx"
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
service.beta.kubernetes.io/aws-load-balancer-internal: "true"
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
spec:
  type: LoadBalancer
  externalTrafficPolicy: Cluster
  selector:
    app: istio-ingressgateway
    istio: ingressgateway
EOF
)"

but it is returning not patched. Whats wrong here?

`it is showing patched now, but still SSL is not applied to ELB, that's strange` -> there is related [github issue](https://github.com/istio/istio/issues/6566) about that. Specifically take a look at [this](https://github.com/istio/istio/issues/6566#issuecomment-427136888) and [this](https://github.com/istio/istio/issues/6566#issuecomment-428914509) answer. Additionally you can take a look at this [thread](https://discuss.istio.io/t/503-errors-when-using-tls-on-gateway/6127/6) at discuss.istio.io. Let me know if that solved your problem. — Jakub, Aug 26 '20 at 08:10
Happy to help. I have posted an answer with that informations for future visilibty. If this answer or any other one solved your issue, please mark it as accepted or up vote it so people know that's the correct answer. — Jakub, Aug 27 '20 at 06:19

score 4 · Accepted Answer · answered Aug 25 '20 at 12:32

The problem is the indentation try to put your patch on a yaml file:

ingress_patch.yaml

metadata:
  name: istio-ingressgateway
  namespace: istio-system
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:xx-xxxx-1:123456789:certificate/xxxx-xxx-xxxxxxxxxxx"
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
    service.beta.kubernetes.io/aws-load-balancer-internal: "true"
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
spec:
  type: LoadBalancer
  externalTrafficPolicy: Cluster
  selector:
    app: istio-ingressgateway
    istio: ingressgateway

Then apply it as follows:

kubectl -n istio-system patch service istio-ingressgateway -p "$(cat ./ingress_patch.yaml)"

Thanks, it is showing patched now, but still SSL is not applied to ELB, that's strange — Akash Verma, Aug 25 '20 at 12:53

score 3 · Answer 2 · answered Aug 27 '20 at 06:15

I am posting this as a community wiki answer for better visibility.

As I mentioned in comments there is related github issue about Istio Ingress TLS key management use ACM.

Despite what @wolmi said what is true, because the indentation was wrong, there are more issues which need to be covered when you're trying to combine istio with ELB and ACM.

It's well described in 3 below answers.

Especially worth to take look and 3 below comments from above github issue.

Answer provided by @cmcconnell1.
Answer provided by @eduardobaitello
Answer provided by @eduardobaitello

Additionally there is a thread about that on discuss.istio.io

Kubectl tls patch returning “not patched”

2 Answers2

Linked