Using letsencrypt cert on Istio Ingress

0
votes

I am running Istio 1.5, where SDS is enabled by default apparently, and am trying to enable TLS on north-south traffic in my EKS cluster (v1.15) and I have done the following:

  • Followed steps here to set up a sample application https://istio.io/latest/docs/setup/getting-started/
  • Installed cert manager 0.15.1
  • Created a cluster issuer
  • Configured the cluster issuer to attempt to solve the DNS challenge by integrating it with AWS Route53
  • Generate a certificate using the cluster issuer and letsencrypt
  • Followed the steps here to configure the gateway and virtual service with the certificate created above https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/
  • I copied the root certificate of letsencrypt to pass through the curl command
  • Tried to curl to the IP of the loadbalancer and I get this error

Can anyone please guide me on how to resolve this?

1
kuberneteskubernetes-ingressistioamazon-ekscert-manager
The certificate created in istio tutorial is self-signed, you should use the one issued by let's encrypt for the following steps.Ken Chen
Can you share how you are tying the let's encrypt certificate to the Istio ingress?Rico
@KenChen Yep. The cert that is being issued by letsencrypt via cert manager in k8s, right?YYashwanth
@YYashwanth, In the example, they generate a self-signed root cert and intermediate cert based on the root cert, which is used by istio gateway. Because it's self-signed, you need to include the root cert in your curl command to pass the verification. Since you are using cert from let's encrypt, I think you can omit the --cacert part in your curl command.Ken Chen
There is documentation about integration cert-menager with istio. There is full reproduction made by @chrisnyc with cert-menager and lets encrypt. Take a look maybe you find something useful there.Jakub

1 Answers

1
votes

There is related documentation about integration cert-menager and istio.

cert-manager

Configuration

Consult the cert-manager installation documentation to get started. No special changes are needed to work with Istio.

Usage

Istio Gateway cert-manager can be used to write a secret to Kubernetes, which can then be referenced by a Gateway. To get started, configure a Certificate resource, following the cert-manager documentation. The Certificate should be created in the same namespace as the istio-ingressgateway deployment. For example, a Certificate may look like:

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: ingress-cert
  namespace: istio-system
spec:
  secretName: ingress-cert
  commonName: my.example.com
  dnsNames:
  - my.example.com
  ...

Once we have the certificate created, we should see the secret created in the istio-system namespace. This can then be referenced in the tls config for a Gateway under credentialName:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: ingress-cert # This should match the Certifcate secretName
    hosts:
    - my.example.com # This should match a DNS name in the Certificate

Kubernetes Ingress

cert-manager provides direct integration with Kubernetes Ingress by configuring an annotation on the Ingress object. If this method is used, the Ingress must reside in the same namespace as the istio-ingressgateway deployment, as secrets will only be read within the same namespace.

Alternatively, a Certificate can be created as described in Istio Gateway, then referenced in the Ingress object:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress
  annotations:
    kubernetes.io/ingress.class: istio
spec:
  rules:
  - host: my.example.com
    http: ...
  tls:
  - hosts:
    - my.example.com # This should match a DNS name in the Certificate
    secretName: ingress-cert # This should match the Certifcate secretName

Additionally there is full reproduction made by @chrisnyc with cert-menager and lets encrypt on istio discuss, which as @YYashwanth mentioned in comments solved his problem. So if you have similar issue take a look at above reproduction.