Using Gateway + VirtualService + http01 + SDS

6/4/2019

In the document there is an example about Securing Kubernetes Ingress with Cert-Manager which is not using Gateway + VirtualService.

I have tried to make it work with acme http01 but the certificate can not be issued as in log challenge I have 404 error. Seems it can not access to domain checking challenges. Is there any best practice with the specifications that I mentioned?

[Update 1]

I want to use istio gateway with SDS option for TLS and secure that by using cert-manager with http-01.

According to the documentation I found some example like Securing Kubernetes Ingress with Cert-Manager or Deploy a Custom Ingress Gateway Using Cert-Manager. However these examples are using Kuberenetes Ingress resource itself (Not istio gateway) or like the second example is using dns-01.

I need an instruction which including istio gateway with SDS option for TLS and secure that by using cert-manager with http-01. Istio gateway give me ability to use VirtualService.

Thanks!

-- Amir Movahedi
istio
kubernetes

1 Answer

6/14/2019

I have found the answer but not really sure why this way. I have followed documentation with some changes.

First I edited the istio-autogenerated-k8s-ingress using kubectl -n istio-system edit gateway command. I removed whole the HTTPS part and I left HTTP part there.

Then I created another Gateway something like :

cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - 'example.com'
    port:
      name: http
      number: 80
      protocol: HTTP2
    tls:
      httpsRedirect: true
  - hosts:
    - 'example.com'
    port:
      name: https-default
      number: 443
      protocol: HTTPS
    tls:
      credentialName: ingress-cert-staging
      mode: SIMPLE
      privateKey: sds
      serverCertificate: sds
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: bookinfo
spec:
  hosts:
  - "example.com"
  gateways:
  - bookinfo-gateway
  http:
  - match:
    - uri:
        exact: /productpage
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    route:
    - destination:
        host: productpage
        port:
          number: 9080

EOF

With this cert-manager issued my certificate ( I guess by istio-autogenerated-k8s-ingress Gateway!! no idea!!) and I can create multiple Gateway and Virtual Service like example above. So everything work well!! This is just my idea and doing blindly is not a right way. Please if you have better answer and you know why the stuff happening like the way I explained let me know.

Thanks!

-- Amir Movahedi
Source: StackOverflow