So here is the problem
I have a VirtualService for a host with multiple routes
First few routes route traffic to services serving rest requests
Last route has no match condition and routes all traffic to nginx service with web app giving back index.html for every path except some js files
And this all works great until I decided to use cert-manager to auto update letsencrypt.org certificates
I created issuer for cert-manager with acme http01 method which requires letsencrypt to verify my host by sending request at /.well-known/* path
now when cert-manager needs to update certificate it creates kubernetes ingress with /.well-known/blabla path
Problem is that this ingress never gets requests routed to it because virtualservice last route routes everything to nginx sevice.
And as I found VirtualService has higher priority because it was created first
Is there a way to solve this? Can I somehow create a route in VirtualService which traps all traffic except /.well-known/ prefix? Or can I prioritize kubernetes ingress created by cert-manager over VirtualService? Or any other solution…
1 Like
In the end I had to remove tls: httpsRedirect: true from Gateway. And add it at VirtualService level with this match condition:
- uri:
regex: ^\/[^\.].*
scheme:
exact: http
1 Like
This should work as long as you don’t use httpsRedirect: true on your Gateways:
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: all-hosts-without-tls
namespace: istio-ingressgateway
spec:
selector:
app: istio-ingressgateway
servers:
- hosts:
- "*"
port:
number: 80
name: http
protocol: HTTP
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: redirect-https-except-http01
namespace: istio-ingressgateway
spec:
gateways:
- istio-ingressgateway/all-hosts-without-tls
hosts:
- "*"
# redirect request to HTTPS if it is not a http01 challenge
http:
- match:
- withoutHeaders:
:path:
prefix: /.well-known/acme-challenge/
# regex engine in use by envoy does not permit inverse matching, otherwise we could
# probably use uri as shown
# uri:
# regex: ^/\.well-known/acme-challenge/\S+$
redirect:
scheme: https
Also take care not to add port 80 to your gateways for HTTP services - that will make sure insecure requests always go through this chain and get redirected.
2 Likes