Reputation: 59
How to enable HTTPS on Istio Ingress Gateway with kind Service
I am trying to enable HTTPS on my Istio Ingress Gateway after installing the service mesh, gateway, and applying a routing policy. The initial Istio installation was done using a profile which includes an istio-ingressgateway service. When I do it this way, it creates the ingress gateway as a Kind: Service instead of a Kind: Gateway.
I looked at this: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ But, the tutorial only describes how to apply the certificate to a Gateway kind and not a Service kind.
What is the proper way to apply the SSL certificate to an ingress gateway service or is there a better way to approach this?
Thanks for your help!
EDIT: Problem Solved.
I went back through the tutorial last night after going down the path of trying to create a clusterIssuer and installing cert manager etc with poor results (The certificate never got accepted by the Certificate Authority for some reason so I only had the key file and an empty cert file). It ended up being easier to create my own certificate.
The issue was that I was referencing the TLS port in my virtual service when I only needed to point towards the port of the service where I was trying to send traffic from the gateway.
This article helped me understand better: Secure Ingress -Istio By Example along with the official Istio Secure-Ingress tutorial I linked above already.
From there I just created a new secret, ran a script that creates a working certificate (basically just a bash script that follows the steps from the Istio tutorial), and then made sure the credential name in my gateway file matched the new secret I created.
Upvotes: 1
Views: 4194
Answers (3)
Reputation: 186
when you deployed the istio setup, it will create
- kind: Service, istio-ingressgateway
- kind: deployemnt , istio-ingressgateway
then you can create the below with https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/, this will configure your ssl.
- kind: Secret, in namespace: istio-system
- kind: gateway, with the above secrets in it referred.
- kind: Virtual Service, linked to this gateway , and dest. application.
Upvotes: 3
Reputation: 1979
Some concepts are slightly confused:
- The Gateway custom resource will configure the istio-ingressgateway, meanwhile
- The Kubernetes Service will create an externally accessible IP.
Using the externally accessible IP, the traffic will be sent to the istio-ingressgateway, where your certificates are configured using the Gateway CR and you will have an HTTPS connection.
Upvotes: 1
Reputation: 2160
I recommend you to simply follow the below mentioned steps -
Install cert-manager from here using the steps those are helm chart based
The you can follow this stackoverflow post
Note that - you need not create the tls secret here, cert-manager will auto create the secret by name mentioned in your certificate, cert-manager will carryout acme challenge once you patch the secret name to TLS and once it gets successful, the certificate acquires ready state.
use
cert-manager.io/v1alpha2
this api version in cluster issuer, if the one mentioned there only is not acceptable
Upvotes: 0
Related Questions
- Istio ingressgateway allow tls for private IP
- Istio passthrough for external services doesn't work
- Enabling HTTPS port in k8s
- Istio Service Mesh TLS Config
- Istio Gateway MUTUAL TLS mode Not Working
- Accessing HTTPS Istio Ingress Gateway from Pod
- Configure Istio ingress gateway TLS with istio operator
- Istio Gateway Fail To Connect Via HTTPS
- Unable to setup https in Istio Gateway
- Accessing an HTTPS service egress, istio v1.0