Using Hashicorp Vault and Cert-manager I’m able to issue certificates using a simple deployment file like down here. Cert-manager will then create a Kubernetes secret after issuing the certificate correctly.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: hello-world
namespace: $NAMESPACE
spec:
secretName: hello-world-tls
issuerRef:
kind: ClusterIssuer
name: vault-issuer
commonName: hello-world-testing.intern.nl
dnsNames:
- hello-world-testing.intern.nl
At this moment the Istio Gateway looks like down here. So far we just added alternate DNS names to the certificate and updated the certificate into the tls-rancher-ingress secret. That means we were using one secret for like 30 to 40 applications. I don’t think this is according to best practices, right?
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: istio-system-gateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- "*"
port:
number: 80
name: http
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- "*"
port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: tls-rancher-ingress
But at this point we will get a separate tls kubernetes secret within the new certificate for each application. According to their documentation it’s possible to add multiple TLS certificates for multiple hosts to add this in the deployment file above.
So this means we need to update the Gateway (showed above) every time (in another namespace) if we need to deploy a new application. We want this to be as efficient as possible so we don’t have to add manually the new host and tls kubernetes secret every time with minimal down-time.
My concrete question: Is there a service that automates the process of adding this new host in the gateway and referring to the correct tls kubernetes secret if deploying a new application with the new generated certificate? Or am I not thinking clearly and is there another (simpler) way to automate this process?