K
Q

Configure Istio Ingress using AWS ELB for HTTPS traffic with a custom ACM certificate

9/19/2019

I have deployed a Kubeflow on an EKS cluster, but want to configure HTTPS listening with a custom ACM certificate. Kubeflow utilizes Istio's ingress gateway to receive external traffic, and by default is only configured for HTTP traffic.

When I inspect the ingress.yaml file that creates the Ingress object, I see that it is configured for only HTTP:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]'
  name: istio-ingress
spec:
  rules:
    - http:
        paths:
          - backend:
              serviceName: istio-ingressgateway
              servicePort: 80
            path: /*

The same exists for the Istio Gateway:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: kubeflow-gateway
  namespace: kubeflow
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - '*'
    port:
      name: http
      number: 80
      protocol: HTTP

The only article I can find on accepting TLS traffic comes from the Istio documentation tutorial for its book service, but its configuration appears to be using a certificate that is mounted directly into the file system at /etc/istio/ingressgateway-bookinfo-certs/tls.crt:

$ kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 443
      name: https-bookinfo
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-bookinfo-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-bookinfo-certs/tls.key
    hosts:
    - "bookinfo.com"
EOF

The problem is, when I typically configure an AWS ELB to listen to HTTPS traffic, I typically have to specify the SSL certificate from ACM (Amazon Certificate Manager). For example, this is a screenshot of me manually configuring the load balancer created by Istio to listen for HTTPS traffic: enter image description here This is the certificate I acquired for my hosted zones purchased from Route 53. However, I honestly don't have any idea how I am supposed to specify this certificate within my Istio YAML configurations, or even how to mount it. I know this is a somewhat basic question, but could someone point me in the direction of a tutorial or walkthrough for how to use HTTPS listeners with ACM for Istio ingress?

-- Yu Chen
amazon-web-services
https
istio
kubernetes
ssl

Similar Questions

How to give stringified json value as parameter/variable in Helm charts?
Kubernetes: How to connect to a postgresql database in k8s from local vm through jdbc
Azure Kubernetes - Puppeteer preparing PDF Error: Page crashed! at Page._onTargetCrashed
The remote certificate is invalid according to the validation procedure for SqlClient

1 Answer

9/19/2019

I think you simply need to add annotation. You can specify which certificate to use for your load balancer like this

alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:eu-central-1:1231234564:certificate/4564abc12-d3c2-4455-8c39-45354cddaf03 (replace with the ARN you get from ACM)

And I believe you may need to listen on port 443.

Docs on available annotations available at https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/

-- marcincuber
Source: StackOverflow