I have a scenario where I need to update the Ingress gateway tls cert (/etc/istio/ingressgateway-certs/tls.crt) and key every 24 hours. I am able to fetch the raw bytes and create the secret using C# Kubernetes client, but unless the Ingress Gateway restarts, it does not pick up the updated certs. Is there a way to do that through code without restarting the ingress-gateway deployment?
Any other suggestions is also highly appreciated.
You are mounting your cert/key by file reference. Istio supports SDS now, so you can mount the cert by credentialName . This mode will detect a new cert without restarting. From docs:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: mygateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: httpbin-credential # must be the same as secret
hosts:
- httpbin.example.com
Btw: docs state that...
The secret name should not begin with istio or prometheus, and the secret should not contain a token field.