Search code examples
sslkuberneteskubernetes-ingressistiocert-manager

Configure SSL certificates in kubernetes with cert-manager istio ingress and LetsEncrypt

I'm trying to configure SSL certificates in kubernetes with cert-manager, istio ingress and LetsEncrypt. I have installed istio with helm, cert-manager, created ClusterIssuer and then I'm trying to create a Certificate. The acme challenge can't be validated, i'm trying to do it with http01 and can't figure it out how to use istio ingress for this. Istio is deployed with following options:

helm install --name istio install/kubernetes/helm/istio `
--namespace istio-system `
--set global.controlPlaneSecurityEnabled=true `
--set grafana.enabled=true`
--set tracing.enabled=true 
--set kiali.enabled=true `
--set ingress.enabled=true

Certificate configuration:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: example.com
  namespace: istio-system
spec:
  secretName: example.com
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer
  commonName: 'example.com'
  dnsNames:
  - example.com
  acme:
    config:
    - http01:
        ingress: istio-ingress
      domains:
      - example.com

When trying this way, for some reason, istio-ingress can't be found, but when trying to specify ingressClass: some-name, instead of ingress: istio-ingress, I get 404 because example.com/.well-known/acme-challenge/token can't be reached. How can this be solved? Thank you!

Solution

  • The solution was to move DNS to azure and use dns validation for generating the certificate. I also used istio-1.1.0-rc.3 and configured the gateway in the following way:

    apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: mygateway
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - hosts:
    - 'mydomain.com'
    port:
      name: http-bookinfo
      number: 80
      protocol: HTTP
    tls:
      httpsRedirect: true
  - hosts:
    - 'mydomain.com'
    port:
      name: https-bookinfo
      number: 443
      protocol: HTTPS
    tls:      
      mode: SIMPLE
      serverCertificate: "use sds" #random string, because serverCertificate and 
      #privateKey are required for tls.mode=SIMPLE
      privateKey: "use sds" 
      credentialName: "istio-bookinfo-certs-staging" #this must match the secret name 
      #from the certificate
    In order to work enable SDS at ingress gateway:

    helm template install/kubernetes/helm/istio/ --name istio `
--namespace istio-system -x charts/gateways/templates/deployment.yaml `
--set gateways.istio-egressgateway.enabled=false `
--set gateways.istio-ingressgateway.sds.enabled=true > `
$HOME/istio-ingressgateway.yaml

 kubectl apply -f $HOME/istio-ingressgateway.yaml