1
votes

I have a scenario where I need to update the Ingress gateway tls cert (/etc/istio/ingressgateway-certs/tls.crt) and key every 24 hours. I am able to fetch the raw bytes and create the secret using C# Kubernetes client, but unless the Ingress Gateway restarts, it does not pick up the updated certs. Is there a way to do that through code without restarting the ingress-gateway deployment?

Any other suggestions is also highly appreciated.

1
How is the certificate bound to the gateway. Can you please provide your configuration codeChris
Secret has been created using : kubectl create -n istio-system secret tls istio-ingressgateway-certs --key tls.key --cert tls.crt and gateway (partial) looks like : selector: istio: ingressgateway servers: - port: name: https number: 443 protocol: https tls: mode: SIMPLE serverCertificate: /etc/istio/ingressgateway-certs/tls.crt privateKey: /etc/istio/ingressgateway-certs/tls.key minProtocolVersion: TLSV1_2 maxProtocolVersion: TLSV1_3 hosts: - "*"Jim

1 Answers

2
votes

You are mounting your cert/key by file reference. Istio supports SDS now, so you can mount the cert by credentialName . This mode will detect a new cert without restarting. From docs:

 apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: mygateway
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: httpbin-credential # must be the same as secret
    hosts:
    - httpbin.example.com

Btw: docs state that...

The secret name should not begin with istio or prometheus, and the secret should not contain a token field.

https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-a-single-host