Access istio/k8s service via HTTPS

12/5/2019

I'm a bit new to Kubernetes and istio. I'm trying to create a service and access it over HTTPS.

  • Over HTTP everything looks great
  • I've used cert-manager with Let's Encrypt to generate the certificate
  • The Certificate has been generated successfully
  • I've generated the secret using the following command
kubectl create secret generic clouddns --namespace=cert-manager --from-literal=GCP_PROJECT=<PROJECT> --from-file=/etc/keys/<KEY>.json

These are my configurations files of the Gateway, Virtual Service, Cluster Issuer, and Certificate.

Gateway

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: messaging-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "<HOST>"
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - "<HOST>"
    tls:
      credentialName: messaging-certificate
      mode: SIMPLE
      privateKey: sds
      serverCertificate: sds

Virtual Service

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: messaging
spec:
  hosts:
  - "<HOST>"
  gateways:
  - messaging-gateway
  http:
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: messaging
        port:
          number: 8082

Cluster Issuer

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: messaging-cluster-issuer
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: <EMAIL>
    privateKeySecretRef:
      name: messaging-letsencrypt
    solvers:
    - dns01:
        clouddns:
          serviceAccountSecretRef:
            name: clouddns
            key: <KEY>.json
          project: <PROJECT>

Certificate

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: messaging-certificate
spec:
  secretName: messaging-certificate
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  organization:
  - RELE.AI
  commonName: <HOST>
  isCA: false
  keySize: 2048
  keyAlgorithm: rsa
  keyEncoding: pkcs1
  usages:
    - server auth
    - client auth
  dnsNames:
  - <HOST>
  issuerRef:
    name: messaging-cluster-issuer
    kind: ClusterIssuer

When I'm running kubectl get secrets messaging-certificate -o yaml, I can see both the tls.crt and the tls.key content.

Any ideas why I can't get to a point where I can access over HTTPS?

---- Edit

Full istio manifest - I have generated the manifest using istioctl manifest generate. Hopefully that's the correct way

-- Elon Salfati
cert-manager
istio
kubernetes

1 Answer

12/26/2019
-- Vadim Eisenberg
Source: StackOverflow