Istio Ingress Gateway with Cert-Manager TLS

ricc · July 12, 2019, 11:53am

I am trying to deploy ingress gateway handling SSL certificates with Cert-Manager. I have followed the documentation at https://istio.io/docs/tasks/traffic-management/ingress/ingress-certmgr/ - however I can only connect to services using istio ingress through http and not https, getting connection refused to port 443. When inspecting istio ingressgateway I can see the following error:

[warning][config] [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_mux_subscription_lib/common/config/grpc_mux_subscription_impl.h:77] gRPC config for type.googleapis.com/envoy.api.v2.Listener rejected: Error adding/updating listener(s) 0.0.0.0_443: Invalid path: sds

What did I miss?

Steven_O_brien · July 14, 2019, 4:05pm

What version of Istio are you running? You might be facing this issue: https://github.com/istio/istio/issues/13358

ricc · July 15, 2019, 6:41am

I am running 1.1.10, and it seems to me that the linked issue is not affecting me (for now at least)

gustavovalverde · September 10, 2019, 2:51am

I’m having this same issue with istio 1.2. Could you solve the problem?

epicvinny · October 29, 2019, 6:56am

Hi Guys.

You are forgetting to enable sds and https labels in the istio-system namespace. You should:

Disable Ingress
Enable SDS and https labels at istio-system namespace
gateways.istio-ingressgateway.sds.enabled=true
global.k8sIngress.enableHttps=true
Enable Ingress

Check ingressgateway logs, you should see something like:

2019-10-29T06:48:25.513093Z info sdsServiceLog SDS gRPC server for ingress gateway controller starts, listening on “/var/run/ingress_gateway/sds”
2019-10-29T06:48:25.513234Z info sdsServiceLog Start SDS grpc server for ingress gateway proxy
2019-10-29T06:48:26.401725Z info sdsServiceLog CONNECTION ID: router~xyz~istio-ingressgateway-5d96ddd8c-lsm29.istio-system~istio-system.svc.cluster.local-1, RESOURCE NAME: YOURCERTIFICATE , EVENT: pushed key/cert pair to proxy

@gustavovalverde

avodaqstephan · December 20, 2019, 12:12pm

Stumbled in the same issue. How did you solve the problem?
I tried the solution from @epicvinny but with no luck.

I tried:

istioctl manifest apply --set values.global.k8sIngress.enabled=false
istioctl manifest apply --set values.global.k8sIngress.enableHttps=true
istioctl manifest apply --set values.gateways.istio-ingressgateway.sds.enabled=true
istioctl manifest apply --set values.global.k8sIngress.enabled=true

fai555 · April 22, 2020, 2:56am

@avodaqstephan were you able to solve the problem? I am also struggling with the same thing.

avodaqstephan · April 22, 2020, 7:03am

@fai555 I switched to Istio v1.5 and I do have a lot less hassle to get everything running.
In v1.5 you don’t need to enable SDS, because it is enabled by default. Further the overhead of running the Istio components is way lower now.
I just needed a “public-gateway”, a Issuer and a Certificate ressource for the cert-manager. Everything works like a charm

Topic		Replies	Views
Plugging in existing CA Certificates in istio 1.7 Security	3	2739	February 1, 2021
Cannot handle traffic to port 443 if k8s ingress enabled Networking	0	533	October 9, 2019
Ingressgateway TLS SDS not working Networking	0	393	March 10, 2021
Making ingress-gateway service listen only on port 443	6	7641	March 17, 2021
istio-Ingressgateway pod is failing with 503 error Networking	1	1930	June 25, 2019

Istio Ingress Gateway with Cert-Manager TLS

Related topics