I want the traffic thar comes to my cluster as HTTP to be redirected to HTTPS. However, the cluster receives requests from hundreds of domains that change dinamically (creating new certs with cert-manager). So I want the redirect to happen only when the URI doesn’t have the prefix
I am using a gateway that listens to 443 and other gateway that listens to 80 and send the HTTP to an acme-solver virtual service.
apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: default-gateway spec: selector: istio: ingressgateway servers: - hosts: - site1.com port: name: https-site1.com number: 443 protocol: HTTPS tls: credentialName: cert-site1.com mode: SIMPLE - hosts: - site2.com port: name: https-site2.com number: 443 protocol: HTTPS tls: credentialName: cert-site2.com mode: SIMPLE ... --- apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: acme-gateway namespace: istio-system spec: selector: istio: ingressgateway servers: - hosts: - '*' port: name: http number: 80 protocol: HTTP --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: acme-solver namespace: istio-system spec: hosts: - "*" gateways: - acme-gateway http: - match: - uri: prefix: /.well-known/acme-challenge route: - destination: host: acme-solver.istio-system.svc.cluster.local port: number: 8089 - redirect: authority: # Should redirect to https://$HOST, but I don't know how to get the $HOST
I also tried to configure in the Gateway with tls:httpsRedirect:, but then all trafic were redirected to HTTPS, so Let’s Encrypt couldn’t complete the acme challange.
How can I do that using istio?