Istio with letsencrypt SSL and cert-manager

9/18/2019

I am working with bookinfo demo app provided by istio (https://istio.io/docs/examples/bookinfo/). It is working fine on port 80. I want to access app over https and for that I did below changes but auto generated ingress is not creating port 443.

---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
    name: letsencrypt-staging
spec:
    acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: ronak@example.com
    privateKeySecretRef:
        name: letsencrypt-staging
    http01: {}
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
    name: bookinfo-crt
    namespace: default
spec:
    secretName: bookinfo-crt
    issuerRef:
    name: letsencrypt-staging
    kind: Issuer
    commonName: bookinfo.example.com
    dnsNames:
    - bookinfo.example.com
    acme:
      config:
      - http01:
      ingressClass: istio
    domains:
      - bookinfo.example.com
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
  labels:
    app: ingressgateway
  namespace: default
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - "bookinfo.example.com"
    tls:
      mode: SIMPLE # enables HTTPS on this port
      serverCertificate: "sds"
      privateKey: "sds"
      credentialName: "bookinfo-crt" # fetches certs from Kubernetes secret

cert-manager logs:

I0918 15:33:30.650813       1 ingress.go:91] cert-manager/controller/challenges/http01/selfCheck/http01/ensureIngress "level"=0 "msg"="found one existing HTTP01 solver ingress" "dnsName"="bookinfo.example.com" "related_resource_kind"="Ingress" "related_resource_name"="cm-acme-http-solver-kfnk2" "related_resource_namespace"="default" "resource_kind"="Challenge" "resource_name"="bookinfo-crt-4286905572-0" "resource_namespace"="default" "type"="http-01"
E0918 15:33:30.661141       1 sync.go:183] cert-manager/controller/challenges "msg"="propagation check failed" "error"="wrong status code '404', expected '200'" "dnsName"="bookinfo.example.com" "resource_kind"="Challenge" "resource_name"="bookinfo-crt-4286905572-0" "resource_namespace"="default" "type"="http-01"
I0918 15:33:30.661278       1 base_controller.go:193] cert-manager/controller/challenges "level"=0 "msg"="finished processing work item" "key"="default/bookinfo-crt-4286905572-0"

auto generated ingress

kubectl get ing
NAME                        HOSTS                       ADDRESS   PORTS     AGE
cm-acme-http-solver-kfnk2   bookinfo.example.com             80        21m

As you can see, there is only port 80 even if I mentioned 443 in gateway.

-- Ronak Patel
cert-manager
istio
kubernetes
kubernetes-ingress

0 Answers