Istio Gateway with CertManager and Let's Encrypt

The documentation has a sample for setting up K8s Ingress type with CertManager & LetsEncrypt:

Is there similar sample to get this up and going with Gateway&VirtualService

1 Like

The steps to secure an ingress gateway are provided in https://istio.io/docs/tasks/traffic-management/secure-ingress/

In your scenario cert-manager would provision and manage a Secret that will be referenced by the Gateway either via SDS or filemount.
The Server.TLSOption.credentialName is used to reference the cert-manager generated secret in the same namespace as the ingress gateway, if SDS is enabled. Essentially the cert managers Certificate.secretRef key should match the ingress gateway credentialName.

If using the filemount (SDS disabled) approach the secret generated by cert-manager will need to be mounted to the Ingress gateway, which requires a restart everytime the Secret is rotated or changed.

Hope that helps.

If SDS is enabled, can cert-manager be used along with TLS in the Istio Gateway? I’m trying to avoid using an Ingress resource.

Yup it is possible.See https://istio.io/docs/tasks/traffic-management/ingress/secure-ingress-sds/ for general SDS setup.

In the [Gateway](https://istio.io/docs/reference/config/networking/v1alpha3/gateway/#Server-TLSOptions) resource (CR) set Server.TLSOptions.mode to Simple and Server.TLSOptions.credentialName to match [Certificate.spec.secretName](https://docs.cert-manager.io/en/latest/reference/api-docs/index.html#certificatespec-v1alpha1)

Note : CertManager generates a Secret with the same name as the one configured in the Istio Gateway resource, in the same namespace as the Gateway.

The problem that I’ve run into is that SDS seems to want a opaque secret with “key” and “cert” but cert-manager creates a TLS secret with tls.crt and tls.key. Is it possible for SDS to read from a TLS secret?

What version are you on ?

The one I tried with (1.1.3) SDS’s SecretFetcher routine watches Secrets of Type: TLS and Type: generic.

See https://github.com/istio/istio/blob/d19179769183541c5db473ae8d062ca899abb3be/security/pkg/nodeagent/secretfetcher/secretfetcher.go for references to type: TLS and type: Generic

TLS Secrets mandate the tls.key, tls.cert keys while Generic secrets mandate the presence of keys, cert, key, cacert (if mTLS). Currently there is no support for cacert in TLS type Secrets.

It appears from the code that the secret/certificate must be in the istio-system. Do you know if there is a way to get SDS to load/watch secrets from another namespace?

SDS mandates that the Secret is in the same namespace as the gateway controller. In the default istio deployments this is istio-system.

Also cert-manager always creates the Secret associated/generated as a result of the Certificate CR object in the same namespace as the Certificate.

Hence all three resources need to be in the same namespace.

Thanks. It’s a little odd, but having to have the certificates in the istio-system namespace isn’t too bad.

It seems odd at first but my understanding it derives from how it was done prior to SDS. With a file mount approach you were allowed to only mount Secrets within the same namespace (as is required by k8s).
So keeping in line with that SDS watches secrets in the same namespace as the gateway.

But yes I agree. It would be a nice feature to be able to specify the namespace as part of the Gateway spec.