Istio + Kubernetes: Gateway more than one TLS Certificate

1
votes

I have a Kubernetes cluster with multiple tenants (in different namespaces). I'd like to deploy an independent Istio Gateway object into each tenant, which I seem to be able to do. However, setting up TLS requires a K8s secret that contains the TLS key/cert. The docs indicate that the "secret must be named istio-ingressgateway-certs in the istio-system namespace". This would seem to indicate that I can only have one TLS secret per cluster. Maybe I'm not reading this correctly. Is there a way to configure independent Istio Gateways in their own namespaces, with their own TLS secrets? How might I go about doing that?

Here is the doc that I'm referencing.
https://istio.io/docs/tasks/traffic-management/ingress/secure-ingress-mount/

Any thoughts are much appreciated.

1
sslkubernetesistiogateway
I am not exactly sure, but one ssl certificate can support more than one domain serverfault.com/q/391311/283777Tummala Dhanvi

1 Answers

2
votes

As provided on istio documentation it's possible.

In this section you will configure an ingress gateway for multiple hosts, httpbin.example.com and bookinfo.com.

So You need to create private keys, in this example, for bookinfo and httbin, and update istio-ingressgateway.

I created them both and they exist.

bookinfo certs and gateway

kubectl exec -it -n istio-system $(kubectl -n istio-system get pods -l istio=ingressgateway -o jsonpath='{.items[0].metadata.name}') -- ls -al /etc/istio/ingressgateway-bookinfo-certs

lrwxrwxrwx 1 root root   14 Jan  3 10:12 tls.crt -> ..data/tls.crt
lrwxrwxrwx 1 root root   14 Jan  3 10:12 tls.key -> ..data/tls.key

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 443
      name: https-bookinfo
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-bookinfo-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-bookinfo-certs/tls.key
    hosts:
    - "bookinfo.com"

httpbin certs and gateway

kubectl exec -it -n istio-system $(kubectl -n istio-system get pods -l istio=ingressgateway -o jsonpath='{.items[0].metadata.name}') -- ls -al /etc/istio/ingressgateway-certs


lrwxrwxrwx 1 root root   14 Jan  3 10:07 tls.crt -> ..data/tls.crt
lrwxrwxrwx 1 root root   14 Jan  3 10:07 tls.key -> ..data/tls.key


apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: httpbin-gateway
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
    - "httpbin.example.com"

Haven't made a full reproduction to check if they both works but if that won't work for You i will try to make it and update the question.

This link might be helpful.