Istio Ingress Gateway with GKE Ingress and Google Managed Certificates

Security
#1

I am trying to setup HTTPS with Istio Ingress Gateway. It seems there are a number of approaches that you can take.

In my demo project I have setup demo profile of Istio(v1.5.1) with istioctl cli tool on GKE. As istio-ingressgateway is a LoadBalancer, I used a GKE Ingress with it. The benefit of using GKE ingress in front of Istio ingress-gateway is that I can now use Google Managed SSL certificates. It’s a very easy and straight forward setup. And it works fine.

My questions are,

  1. Is this setup recommended? In Istio doc there is already a guide on how to use Kubernetes Ingress and Cert Manager with Istio ingress-gateway.
  2. Will I lose out any of the Istio Traffic routing features. Can I still use Gateway and VirtualService?
  3. Will the mTLS still work properly?
  4. Are there any security issues with this setup?

I am new in these topics and would really appreciate your opinions and suggestions.
Thanks.

#2

So you will have GKE ingress setup and get benefits of Google managed certificates. I don’t think the features you mentioned below will be broken, the difference becomes you move the public facing tls from Istio gateway to k8s ingress. those features, you listed, is not affected.

#3

@fai555 can you share how you are doing the installation to get HTTPS with Istio Ingressgateway?

#4

Sorry for the delayed reply.

You can refer to a blog I wrote regarding all the ways I could setup SSL with Istio.

There is another blog that describes how to setup Google Managed Certificate with Istio. I haven’t tries it out personally, but the idea seems pretty neat

Hope this helps.

1 Like
#5

If you want to use a GKE Ingress then easiest option is to add a custom health check via a BackendConfig CRD for the istio ingress gateway.

I recently found this guide buried in the GCP docs https://cloud.google.com/solutions/exposing-service-mesh-apps-through-gke-ingress#anthos-service-mesh_2

If you try it out, don’t forget to add the firewall rules otherwise the health check won’t work and the GKE Ingress will always be unhealthy.

1 Like