Using Hashicorp Vault and Cert-manager I’m able to issue certificates using a simple deployment file like down here. Cert-manager will then create a Kubernetes secret after issuing the certificate correctly.
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: hello-world namespace: $NAMESPACE spec: secretName: hello-world-tls issuerRef: kind: ClusterIssuer name: vault-issuer commonName: hello-world-testing.intern.nl dnsNames: - hello-world-testing.intern.nl
At this moment the Istio Gateway looks like down here. So far we just added alternate DNS names to the certificate and updated the certificate into the
tls-rancher-ingress secret. That means we were using one secret for like 30 to 40 applications. I don’t think this is according to best practices, right?
apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: istio-system-gateway namespace: istio-system spec: selector: istio: ingressgateway servers: - hosts: - "*" port: number: 80 name: http protocol: HTTP tls: httpsRedirect: true - hosts: - "*" port: number: 443 name: https protocol: HTTPS tls: mode: SIMPLE credentialName: tls-rancher-ingress
But at this point we will get a separate tls kubernetes secret within the new certificate for each application. According to their documentation it’s possible to add multiple TLS certificates for multiple hosts to add this in the deployment file above.
So this means we need to update the Gateway (showed above) every time (in another namespace) if we need to deploy a new application. We want this to be as efficient as possible so we don’t have to add manually the new host and tls kubernetes secret every time with minimal down-time.
My concrete question: Is there a service that automates the process of adding this new host in the gateway and referring to the correct tls kubernetes secret if deploying a new application with the new generated certificate? Or am I not thinking clearly and is there another (simpler) way to automate this process?