Default SSL on Ingress Gateway

I’m coming from using the nginx IngressController where I use the default SSL certificate
https://kubernetes.github.io/ingress-nginx/user-guide/tls/

The way that works is that if the Ingress doesn’t provide a separate certificate, then the default will be used. I have a wildcard certificate that accommodates most of the workloads and I provide a separate certificate with an Ingress resource when the wildcard won’t work.

Is there some equivalent for the Istio Ingress Gateway?

2 Likes

@Oliver @JimmyChen Do you know if Istio gateway support using multiple certificates?

I did make a little progress yesterday using this link

With this I succeeded in creating a secret in the istio-system namespace with a wildcard certificate that will work for many of my workloads. I then have to add the following section to each Gateway definition

tls:
  mode: SIMPLE
  privateKey: /etc/istio/ingressgateway-certs/tls.key
  serverCertificate: /etc/istio/ingressgateway-certs/tls.crt

Still unresolved
On this page

I see an example of referencing a TLS secret, which is very similar to how the Ingress does it. It looks like this in the Gateway

tls:
  mode: SIMPLE
  credentialName: bookinfo-secret # fetches certs from Kubernetes secret

I would expect the secret to be defined in the same namespace as the Gateway resource, but it didn’t work when I tried it. I then tried adding a secret to the istio-system namespace, but that didn’t work either.

Is this a currently working feature? If so, how can I use it? I just found and will look at this link next:

I still can’t get the credentialName approach to work. Is there specific documentation about this. For example, does the Secret need to be in a certain namespace?

How can I troubleshoot this credentialName approach in the Ingress Gateway?

Have you enabled the ingress-sds container on your Ingress Gateway controller ? See https://istio.io/docs/tasks/traffic-management/ingress/secure-ingress-sds/#configure-a-tls-ingress-gateway-using-sds

Once you have this enabled you should see 2/2 containers in your istio-ingressgateway pod.

The credentialName should match a type/generic or type/tls Secret resource deployed in the SAME namespace as the Gateway controller (cross namespace Secrets are not supported).

I have a recent post on the forum regarding using cert-manager with ingress SDS here [mTLS] Default RootCA for Client Certificates. It shows how the ingress-sds container is configured to watch Secrets.

Also with regards to troubleshooting, I would watch the ingress-sds logs and also the istio-proxy logs for SDS related messages.

@Daniel_Watrous Additionally take a look at https://github.com/prune998/certmerge-operator to merge multiple certificates into a single file.

I’ll look at SDS.

@nitishm When you say “Gateway controller”, do you mean the namespace where I have the Istio Ingress Gateway? I was hoping I could put the Secret in the same namespace where I define the Gateway resource, but it sounds like that won’t work with Istio.

That’s correct it only watches in the gateway controller (where the ingress controller pod is deployed) namespace.
See https://github.com/istio/istio/blob/a329eea24cef41a6860c51ae622b744af853d089/security/pkg/nodeagent/secretfetcher/secretfetcher.go#L155-L170

Sorry for the delay. The SDS approach for ingress TLS/mTLS gateway should work fine. I just added a test to automatically test the scripts in that user guide. https://github.com/istio/istio/tree/master/tests/istio.io/tasks/traffic-management/ingress/secure-ingress-sds

I didn’t use helm to install Istio and so I was hoping for some way to add SDS without needing helm. Is there a stand alone instruction or snippet so I can add the SDS container to the Ingress Gateway Pod?

I used https://hub.docker.com/r/alpine/helm and cloned https://github.com/istio/istio and was able to generate and add the following sections to the existing deployment.

  volumes:
  - name: ingressgatewaysdsudspath
    emptyDir: {}

and this

    - name: ingress-sds
      image: "gcr.io/istio-release/node-agent-k8s:master-latest-daily"
      imagePullPolicy: IfNotPresent
      resources:
        limits:
          cpu: 2000m
          memory: 1024Mi
        requests:
          cpu: 100m
          memory: 128Mi

      env:
      - name: "ENABLE_WORKLOAD_SDS"
        value: "false"
      - name: "ENABLE_INGRESS_GATEWAY_SDS"
        value: "true"
      - name: "INGRESS_GATEWAY_NAMESPACE"
        valueFrom:
          fieldRef:
            apiVersion: v1
            fieldPath: metadata.namespace
      volumeMounts:
      - name: ingressgatewaysdsudspath
        mountPath: /var/run/ingress_gateway

That last volume mount needs to be added to the existing istio-ingress container.

    env:
    - name: ISTIO_META_USER_SDS
      value: "true"

The SDS container is running, but it’s not working as expected. These are all the logs from the container, and I when I connect to the istio-proxy container, I don’t see the credential based TLS cert anywhere. I may not know where to look.

2019-08-20T11:16:49.911937Z	info	ControlZ available at 127.0.0.1:9876
2019-08-20T11:16:49.967279Z	warn	secretFetcherLog	failed load server cert/key pair from secret kiali: server cert or private key is empty
2019-08-20T11:16:50.017989Z	info	sdsServiceLog	SDS gRPC server for ingress gateway controller starts, listening on "/var/run/ingress_gateway/sds"

2019-08-20T11:16:50.018296Z	info	sdsServiceLog	Start SDS grpc server for ingress gateway proxy
2019-08-20T11:16:50.018378Z	info	citadel agent monitor has started.
2019-08-20T11:16:50.019235Z	info	monitor	Monitor server started.

Any idea what’s going wrong here?

I created a different thread to discuss the SDS stuff TLS SDS/credentialName not working with Ingress Gateway