Certificate manager

Security
1

Good morning,

I try to get cert-manager running with ISTIO 1.5.x, which comes as addon in the IBM cloud for the
managed K8S cluster.

I am confused to configure the cluster issuer to work with the ISTIO IngressGateway. What should I do
to achieve that?
I am sure, that I need to get virtualservices to route the traffic from the ACME servers to the pods to finish the http01 challange. But, how?

Thank you in advance.
Jan

P.S.: I read the documentation of ISTIO for the SSL certs with cert-manager, which says, that I only need to deploy cert-manager in the usual way. I read the cert-manager documentation, which explains the machanism, which is totally right. But I cannot configure the cert-manage to work with the ISTIO ingress, which is the ISTIO IngressGateway. .-(

2

Hello @palic ,

You don’t need to create any virtual service to route the traffic from the ACME servers to the pods to finish the http01 challenge.

First, Istio must be configured with:
--set "values.global.k8sIngress.enabled=true" which will allow Istio to detect Kubernetes Ingress objects and add routing to them. This configuration is necessary because Cert-Manager, to perform the HTTP challenge, will create a pod to answer the challenge and will expose this pod via a Kubernetes ingress.

and

"values.global.k8sIngress.gatewayName=[ingressgateway name]" which determines from which Istio Ingress Gateway traffic will be routed to the Ingress Kubernetes detected by Istio. In our case, we want it to be through the gateway that will manage Let’s Encrypt SSL certificates. Indeed, we will use the HTTP challenge and it is this gateway that will be called by Let’s Encrypt during the challenge.

You allso need "values.gateways.istio-ingressgateway.sds.enabled=true" which will allow the certificate to be automatically injected on the Istio Ingress Gateways based on the name of the secret containing the certificate.

If you configure your issuer with

# Enable the HTTP-01 challenge provider
   solvers:
     - selector: {}
       http01:
           ingress:
             class: istio

Cert Manager automatically create an ingress with

annotations:
   kubernetes.io/ingress.class: istio

Istio add to the ingress gateway the route for all ingress with this annotation.

I wrote 2 articles for my company’s technical blog to explain how to déploy an application with Kube / Istio / External-Dns / Cert-Manager/ Let’s Encrypt (https://cbp-group.github.io/kube-istio-externaldns-cert-manager-letsencrypt-part1/ and https://cbp-group.github.io/kube-istio-externaldns-cert-manager-letsencrypt-part2/). It’s originally in French, but here are the links to the translation if it can help you:

http://translate.google.com/translate?hl=&sl=fr&tl=en&u=https%3A%2F%2Fcbp-group.github.io%2Fkube-istio-externaldns-cert-manager-letsencrypt-part1%2F

http://translate.google.com/translate?sl=fr&tl=en&u=https%3A%2F%2Fcbp-group.github.io%2Fkube-istio-externaldns-cert-manager-letsencrypt-part1%2F

Note that with Istio 1.6, there are some changes in the configuration for the wedge to work.