Istio+Letsencrypt+HTTP redirect to HTTPS

Networking
1

Hello,

We use Letsencrypt to issue certificates that are reissued every three months. We also have a ClusterIssuer for letsencrypt. The problem is that the certificate is issued only if the host is available via HTTP. How to set up a getway or virtualservice to be able to issue and reissue certificates through HTTPS? As far as I understand, for this you need to set up an ingress solver and set up a prefix redirect to this solver. But how to do it right?

My manifests:

apiVersion: 
kind: Gateway
metadata:
  name: test-http-gateway
  namespace: test-env
  labels:
    app: test-http
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
      - test-http.example.com--
    port:
      name: https
      number: 443
      protocol: HTTPS
    tls:
      credentialName: test-env.test-http-cert
      mode: SIMPLE

  - hosts:
      - test-http.example.com--
    port:
      name: http-redirect
      number: 80
      protocol: HTTP
    tls:
      httpsRedirect: true

apiVersion: 
kind: VirtualService
metadata:
  name: test-http-virtualservice
  namespace: test-env
  labels:
    app: prometheus-kube
spec:
  hosts:
    -  test-http.example.com--
  gateways:
  - test-http-gateway
  http:
  - route:
    - destination:
        host: test-http  
        port:
          number: 8080

I tried adding ingress:

apiVersion: 
kind: Ingress
metadata:
  name: test-http
  namespace: istio-system
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-staging
    ingress.kubernetes.io/force-ssl-redirect: "true"
    kubernetes.io/ingress.class: istio
    kubernetes.io/tls-acme: "true"
spec:
  tls:
  - secretName: test-http-cert-ingress
    hosts:
    - test-http..example.com
  rules:
  - host: test-http.example.com--
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: test-http
            port:
              number: 8080

And change the virtualservice like this:

apiVersion: 
kind: VirtualService
metadata:
  name: test-http-virtualservice
  namespace: test-env
  labels:
    app:  test-env
spec:
  hosts:
    -  test-http.example.com--
  gateways:
  - test-http-gateway
  http:
  - match:
      - uri:
          prefix: /.well-known/acme-challenge/
    route:
      - destination:
          port:
            number: 8089
          host: cm-acme-http-solver-4dk5p.istio-system.svc

  - route:
    - destination:
        host: test-http
        port:
          number: 8080
2

@YangminZhu could you please check this.

3

hello Pavel
try this Istio OIDC Authentication | Jetstack Blog

4

@Vasyl_Herman …how is it related to OIDC?

1 Like