In the document there is an example about Securing Kubernetes Ingress with Cert-Manager which is not using Gateway + VirtualService.
I have tried to make it work with acme http01 but the certificate can not be issued as in log challenge I have 404 error. Seems it can not access to domain checking challenges. Is there any best practice with the specifications that I mentioned?
[Update 1]
I want to use istio gateway with SDS
option for TLS
and secure that by using cert-manager with http-01.
According to the documentation I found some example like Securing Kubernetes Ingress with Cert-Manager or Deploy a Custom Ingress Gateway Using Cert-Manager. However these examples are using Kuberenetes Ingress resource itself (Not istio gateway) or like the second example is using dns-01
.
I need an instruction which including istio gateway with SDS
option for TLS
and secure that by using cert-manager with http-01. Istio gateway give me ability to use VirtualService
.
Thanks!
I have found the answer but not really sure why this way. I have followed documentation with some changes.
First I edited the istio-autogenerated-k8s-ingress
using kubectl -n istio-system edit gateway
command. I removed whole the HTTPS
part and I left HTTP
part there.
Then I created another Gateway
something like :
cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- 'example.com'
port:
name: http
number: 80
protocol: HTTP2
tls:
httpsRedirect: true
- hosts:
- 'example.com'
port:
name: https-default
number: 443
protocol: HTTPS
tls:
credentialName: ingress-cert-staging
mode: SIMPLE
privateKey: sds
serverCertificate: sds
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- "example.com"
gateways:
- bookinfo-gateway
http:
- match:
- uri:
exact: /productpage
- uri:
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage
port:
number: 9080
EOF
With this cert-manager issued my certificate ( I guess by istio-autogenerated-k8s-ingress
Gateway!! no idea!!) and I can create multiple Gateway and Virtual Service like example above. So everything work well!! This is just my idea and doing blindly is not a right way. Please if you have better answer and you know why the stuff happening like the way I explained let me know.
Thanks!