#kubernetes (2025-01)
Archive: https://archive.sweetops.com/kubernetes/
2025-01-06
Stef
long shot, how do I get Istio to accept a k8s CA signed certificate for a specific service
Gabriela Campana (Cloud Posse)
@Andriy Knysh (Cloud Posse)
Andriy Knysh (Cloud Posse)
@Stef you can do the following
• Provision cert-manager (https://cert-manager.io/), use a cert authority e.g. Letsencrypt or https://www.sectigo.com/
• Them, when provisioning IStio Gateway CRD, specify the certificate name.
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: {{ .Values.gateway_name }}
namespace: {{ .Values.kubernetes_namespace }}
spec:
selector:
xxxxx: yyyyyyy
servers:
- hosts:
{{- range .Values.hosts }}
- {{ . | quote }}
{{- end }}
port:
name: https
number: 443
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: my-certificate
minProtocolVersion: TLSV1_2
cipherSuites:
- ECDHE-ECDSA-AES128-GCM-SHA256
Andriy Knysh (Cloud Posse)
all Istio Gateways will be using my-certificate
Andriy Knysh (Cloud Posse)
then point your Istio VirtualService to the Gateway , and route the VirtualService to the app Service
kind: VirtualService
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Release.Name }}
spec:
hosts:
- {{ .Values.host }}
{{- if .Values.aliasHosts }}
{{- range .Values.aliasHosts }}
- {{ . | quote }}
{{- end }}
{{- end }}
gateways:
- {{ .Values.gateway_name }}
http:
- match:
- uri:
prefix: /
route:
- destination:
# Route to the Kubernetes Service
host: {{ .Release.Name }}
port:
number: {{ .Values.port }}