I am using istio as ingress controller and trying to get cert-manager working. Following is my setup
## Ingress yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
# add an annotation indicating the issuer to use.
kubernetes.io/ingress.class: istio
cert-manager.io/cluster-issuer: letsencrypt-staging-clusterissuer
name: <domain>-com-ing
namespace: istio-system
spec:
rules:
- host: <domain>
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: myservice
port:
number: 80
tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
- hosts:
- <domain>
secretName: <domain>-cert
$ kubectl get ingress -n istio-system
NAME CLASS HOSTS ADDRESS PORTS AGE
cm-acme-http-solver-95sfq <none> <domain> 10.1.0.2 80 55m
<domain>-ing <none> <domain> 10.1.0.2 80, 443 55m
// note, i have proper routing to 10.1.0.2 from my router.
$ kubectl get ingress/cm-acme-http-solver-95sfq -n istio-system -o json
{
"apiVersion": "networking.k8s.io/v1",
"kind": "Ingress",
"metadata": {
"annotations": {
"kubernetes.io/ingress.class": "istio",
"nginx.ingress.kubernetes.io/whitelist-source-range": "0.0.0.0/0,::/0"
},
"creationTimestamp": "2022-02-04T05:53:32Z",
"generateName": "cm-acme-http-solver-",
"generation": 1,
"labels": {
"acme.cert-manager.io/http-domain": "1265239940",
"acme.cert-manager.io/http-token": "1441009452",
"acme.cert-manager.io/http01-solver": "true"
},
"name": "cm-acme-http-solver-95sfq",
"namespace": "istio-system",
"ownerReferences": [
{
"apiVersion": "acme.cert-manager.io/v1",
"blockOwnerDeletion": true,
"controller": true,
"kind": "Challenge",
"name": "<domain>-cert-79msr-4068485403-3913127933",
"uid": "a78b01cb-e401-4bde-b698-24bf065bc82e"
}
],
"resourceVersion": "180647",
"uid": "2b76230c-dfc5-4f29-bf10-c1a9b06f5759"
},
"spec": {
"rules": [
{
"host": "<domain>",
"http": {
"paths": [
{
"backend": {
"service": {
"name": "cm-acme-http-solver-zjkqh",
"port": {
"number": 8089
}
}
},
"path": "/.well-known/acme-challenge/6vtfgrzt4h8d1EpeVihDFsunrYDH0Glzq8gO19pUcVY",
"pathType": "ImplementationSpecific"
}
]
}
}
]
},
"status": {
"loadBalancer": {
"ingress": [
{
"ip": "10.1.0.2"
}
]
}
}
}
Challenge Status: self check failed
Presented: true
Processing: true
Reason: Waiting for HTTP-01 challenge propagation: failed to perform self check GET request ‘http:///.well-known/acme-challenge/6vtfgrzt4h8d1EpeVihDFsunrYDH0Glzq8gO19pUcVY’: Get “http:///.well-known/acme-challenge/6vtfgrzt4h8d1EpeVihDFsunrYDH0Glzq8gO19pUcVY”: context deadline exceeded (Client.Timeout exceeded while awaiting headers)
State: pending
I was able to hit the url from outside k8s environment:
$ curl http://<domain>/.well-known/acme-challenge/6vtfgrzt4h8d1EpeVihDFsunrYDH0Glzq8gO19pUcVY
Recd:
6vtfgrzt4h8d1EpeVihDFsunrYDH0Glzq8gO19pUcVY.IxZgZOqAYfNrayeFtjnImRBs9osTdRn3NKGX7WWGBAM%
Note: same doesn’t work inside a pod, it’s trying to get public DNS ip rather than routing within mesh or hitting the ingress.
In istio, i know we can use VirtualService → hosts [] → http match → gateway [“mesh”] to internally route traffic for the matching domains. How can i acheive the same in Istio → Cert-manager Ingress resource method mentioned above? any suggestions?Preformatted text