Istio Ingress Gateway with Cert-Manager TLS

I am trying to deploy ingress gateway handling SSL certificates with Cert-Manager. I have followed the documentation at https://istio.io/docs/tasks/traffic-management/ingress/ingress-certmgr/ - however I can only connect to services using istio ingress through http and not https, getting connection refused to port 443. When inspecting istio ingressgateway I can see the following error:

[warning][config] [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_mux_subscription_lib/common/config/grpc_mux_subscription_impl.h:77] gRPC config for type.googleapis.com/envoy.api.v2.Listener rejected: Error adding/updating listener(s) 0.0.0.0_443: Invalid path: sds

What did I miss?

What version of Istio are you running? You might be facing this issue: https://github.com/istio/istio/issues/13358

I am running 1.1.10, and it seems to me that the linked issue is not affecting me (for now at least)

I’m having this same issue with istio 1.2. Could you solve the problem?

Hi Guys.

You are forgetting to enable sds and https labels in the istio-system namespace. You should:

Disable Ingress
Enable SDS and https labels at istio-system namespace
gateways.istio-ingressgateway.sds.enabled=true
global.k8sIngress.enableHttps=true
Enable Ingress

Check ingressgateway logs, you should see something like:

2019-10-29T06:48:25.513093Z info sdsServiceLog SDS gRPC server for ingress gateway controller starts, listening on “/var/run/ingress_gateway/sds”
2019-10-29T06:48:25.513234Z info sdsServiceLog Start SDS grpc server for ingress gateway proxy
2019-10-29T06:48:26.401725Z info sdsServiceLog CONNECTION ID: router~xyz~istio-ingressgateway-5d96ddd8c-lsm29.istio-system~istio-system.svc.cluster.local-1, RESOURCE NAME: YOURCERTIFICATE , EVENT: pushed key/cert pair to proxy

@gustavovalverde