cert-manager

cert-manager is a tool that automates certificate management. This can be integrated with Istio gateways to manage TLS certificates.

Configuration

Consult the cert-manager installation documentation to get started. No special changes are needed to work with Istio.

Usage

Istio Gateway

cert-manager can be used to write a secret to Kubernetes, which can then be referenced by a Gateway.

  1. To get started, configure an Issuer resource, following the cert-manager issuer documentation. Issuers are Kubernetes resources that represent certificate authorities (CAs) that are able to generate signed certificates by honoring certificate signing requests. For example: an Issuer may look like:

    1. apiVersion: cert-manager.io/v1
    2. kind: Issuer
    3. metadata:
    4.   name: ca-issuer
    5.   namespace: istio-system
    6. spec:
    7.   ca:
    8.     secretName: ca-key-pair

    For a common Issuer type, ACME, a pod and service are created to respond to challenge requests in order to verify the client owns the domain. To respond to those challenges, an endpoint at http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN> will need to be reachable. That configuration may be implementation specific.

  2. Next, configure a Certificate resource, following the cert-manager documentation. The Certificate should be created in the same namespace as the istio-ingressgateway deployment. For example, a Certificate may look like:

    1. apiVersion: cert-manager.io/v1
    2. kind: Certificate
    3. metadata:
    4.   name: ingress-cert
    5.   namespace: istio-system
    6. spec:
    7.   secretName: ingress-cert
    8.   commonName: my.example.com
    9.   dnsNames:
    10.   - my.example.com
    11.   ...

  3. Once we have the certificate created, we should see the secret created in the istio-system namespace. This can then be referenced in the tls config for a Gateway under credentialName:

    1. apiVersion: networking.istio.io/v1
    2. kind: Gateway
    3. metadata:
    4.   name: gateway
    5. spec:
    6.   selector:
    7.     istio: ingressgateway
    8.   servers:
    9.   - port:
    10.       number: 443
    11.       name: https
    12.       protocol: HTTPS
    13.     tls:
    14.       mode: SIMPLE
    15.       credentialName: ingress-cert # This should match the Certificate secretName
    16.     hosts:
    17.     - my.example.com # This should match a DNS name in the Certificate

Kubernetes Ingress

cert-manager provides direct integration with Kubernetes Ingress by configuring an annotation on the Ingress object. If this method is used, the Ingress must reside in the same namespace as the istio-ingressgateway deployment, as secrets will only be read within the same namespace.

Alternatively, a Certificate can be created as described in Istio Gateway, then referenced in the Ingress object:

  1. apiVersion: networking.k8s.io/v1
  2. kind: Ingress
  3. metadata:
  4.   name: ingress
  5.   annotations:
  6.     kubernetes.io/ingress.class: istio
  7. spec:
  8.   rules:
  9.   - host: my.example.com
  10.     http: ...
  11.   tls:
  12.   - hosts:
  13.     - my.example.com # This should match a DNS name in the Certificate
  14.     secretName: ingress-cert # This should match the Certificate secretName