Default SSL on Ingress Gateway

Security
1

I’m coming from using the nginx IngressController where I use the default SSL certificate
https://kubernetes.github.io/ingress-nginx/user-guide/tls/

The way that works is that if the Ingress doesn’t provide a separate certificate, then the default will be used. I have a wildcard certificate that accommodates most of the workloads and I provide a separate certificate with an Ingress resource when the wildcard won’t work.

Is there some equivalent for the Istio Ingress Gateway?

2 Likes
2

@Oliver @JimmyChen Do you know if Istio gateway support using multiple certificates?

3

I did make a little progress yesterday using this link

With this I succeeded in creating a secret in the istio-system namespace with a wildcard certificate that will work for many of my workloads. I then have to add the following section to each Gateway definition

tls:
  mode: SIMPLE
  privateKey: /etc/istio/ingressgateway-certs/tls.key
  serverCertificate: /etc/istio/ingressgateway-certs/tls.crt

Still unresolved
On this page

I see an example of referencing a TLS secret, which is very similar to how the Ingress does it. It looks like this in the Gateway

tls:
  mode: SIMPLE
  credentialName: bookinfo-secret # fetches certs from Kubernetes secret

I would expect the secret to be defined in the same namespace as the Gateway resource, but it didn’t work when I tried it. I then tried adding a secret to the istio-system namespace, but that didn’t work either.

Is this a currently working feature? If so, how can I use it? I just found and will look at this link next:

4

I still can’t get the credentialName approach to work. Is there specific documentation about this. For example, does the Secret need to be in a certain namespace?

How can I troubleshoot this credentialName approach in the Ingress Gateway?

5

Have you enabled the ingress-sds container on your Ingress Gateway controller ? See https://istio.io/docs/tasks/traffic-management/ingress/secure-ingress-sds/#configure-a-tls-ingress-gateway-using-sds

Once you have this enabled you should see 2/2 containers in your istio-ingressgateway pod.

The credentialName should match a type/generic or type/tls Secret resource deployed in the SAME namespace as the Gateway controller (cross namespace Secrets are not supported).

I have a recent post on the forum regarding using cert-manager with ingress SDS here [mTLS] Default RootCA for Client Certificates. It shows how the ingress-sds container is configured to watch Secrets.

Also with regards to troubleshooting, I would watch the ingress-sds logs and also the istio-proxy logs for SDS related messages.

6

@Daniel_Watrous Additionally take a look at https://github.com/prune998/certmerge-operator to merge multiple certificates into a single file.

7

I’ll look at SDS.

@nitishm When you say “Gateway controller”, do you mean the namespace where I have the Istio Ingress Gateway? I was hoping I could put the Secret in the same namespace where I define the Gateway resource, but it sounds like that won’t work with Istio.

8

That’s correct it only watches in the gateway controller (where the ingress controller pod is deployed) namespace.
See https://github.com/istio/istio/blob/a329eea24cef41a6860c51ae622b744af853d089/security/pkg/nodeagent/secretfetcher/secretfetcher.go#L155-L170

9

Sorry for the delay. The SDS approach for ingress TLS/mTLS gateway should work fine. I just added a test to automatically test the scripts in that user guide. https://github.com/istio/istio/tree/master/tests/istio.io/tasks/traffic-management/ingress/secure-ingress-sds

10

I didn’t use helm to install Istio and so I was hoping for some way to add SDS without needing helm. Is there a stand alone instruction or snippet so I can add the SDS container to the Ingress Gateway Pod?

11

I used https://hub.docker.com/r/alpine/helm and cloned https://github.com/istio/istio and was able to generate and add the following sections to the existing deployment.

  volumes:
  - name: ingressgatewaysdsudspath
    emptyDir: {}

and this

    - name: ingress-sds
      image: "gcr.io/istio-release/node-agent-k8s:master-latest-daily"
      imagePullPolicy: IfNotPresent
      resources:
        limits:
          cpu: 2000m
          memory: 1024Mi
        requests:
          cpu: 100m
          memory: 128Mi

      env:
      - name: "ENABLE_WORKLOAD_SDS"
        value: "false"
      - name: "ENABLE_INGRESS_GATEWAY_SDS"
        value: "true"
      - name: "INGRESS_GATEWAY_NAMESPACE"
        valueFrom:
          fieldRef:
            apiVersion: v1
            fieldPath: metadata.namespace
      volumeMounts:
      - name: ingressgatewaysdsudspath
        mountPath: /var/run/ingress_gateway

That last volume mount needs to be added to the existing istio-ingress container.

    env:
    - name: ISTIO_META_USER_SDS
      value: "true"
12

The SDS container is running, but it’s not working as expected. These are all the logs from the container, and I when I connect to the istio-proxy container, I don’t see the credential based TLS cert anywhere. I may not know where to look.

2019-08-20T11:16:49.911937Z	info	ControlZ available at 127.0.0.1:9876
2019-08-20T11:16:49.967279Z	warn	secretFetcherLog	failed load server cert/key pair from secret kiali: server cert or private key is empty
2019-08-20T11:16:50.017989Z	info	sdsServiceLog	SDS gRPC server for ingress gateway controller starts, listening on "/var/run/ingress_gateway/sds"

2019-08-20T11:16:50.018296Z	info	sdsServiceLog	Start SDS grpc server for ingress gateway proxy
2019-08-20T11:16:50.018378Z	info	citadel agent monitor has started.
2019-08-20T11:16:50.019235Z	info	monitor	Monitor server started.

Any idea what’s going wrong here?

13

I created a different thread to discuss the SDS stuff TLS SDS/credentialName not working with Ingress Gateway