-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How can I apply multiple certificates in istio-ingressgateway #7658
Comments
You can either edit the ingress gateway deployment manually and add more volume mounts, or use
Because Istio is designed to run also in non-Kubernetes environments, so it's configuration strives not to contain Kubernetes constructs. |
@vadimeisenbergibm So essentially, to get https traffic working, a user only has to specify the certificate path in Gateway and make sure it exists in the ingressgateway container, no matter the certificate is mounted from kubernetes Secret or any other means, right? If so, to dynamically adding more tls certificates to ingressgateway without re-deployment, we may need to develop a tool which defines how users upload their certs (using k8s Secret for example) and automatically place those certs into user-specified paths inside ingressgateway container when uploading events happen? |
@dunjut That's correct. |
@vadimeisenbergibm Plenty of users run istio in kubernetes (istio is designed for multi kind of environments though), to make dynamic tls certificate support available to users like us, is it acceptable that we develop such a tool and make it optional in helm chart like kiali, certmanager and so? |
@dunjut My understanding is that the Istio community welcomes the ecosystem of tools for a service mesh on top of istio.io. Contribution of tools, plugins on top of istio.io for various platforms,and especially for Kubernetes, documentation and code, is very welcome. |
@incfly replied to this istio-dev thread and said you're working on integrating Envoy SDS to let the workload fetch key cert in the runtime. Will that work solve this issue? cc @vadimeisenbergibm |
@dunjut Yes, it seems so. |
@dunjut If you dynamically add domains:
P.S., In the future, I believe we should get rid of the file watcher, and use SDS to update the key/cert for external certs as well. |
@myidpt I don't see how Istio supports multiple external certificates from the documentation on gateway that you referenced. As far as I can tell it only supports one certificate per server.
We would also need to specify for what host a certificate is served for. Do I misunderstand? |
I just spend some time writing a tool to automate the synchronization between kubernetes secrets and istio-ingressgateway certificates. Folks who suffer from this issue can have a try on it (a very early version though). |
@vadimeisenbergibm I am not sure if the Gateway could still serve the traffic well during the process of the redeployment? |
@vadimeisenbergibm Thanks for your help, it seem that new certificates will take effect after redeploy istio-ingressgateway. But in this way I'm not sure |
@exiaohao With the ingressgateway being scalable now, I think you should be able to rolling-update the ingressgateway with your new cert without downtime. |
@sudermanjr Scaling and rolling-updating implies some kind of loadbalancer in front of ingressgateway, which is common in a cloud environment, but it's not always true in bare-metals. In our scenario, we deploy ingressgateway as DaemonSet on a set of dedicated physical machines, facing directly to users, acting as edge layer 7 gateway. |
I think the best solution here is to have ingress gateway use SDS to load these certs from node agent (which can watch certs from k8s secrets or external API). This can be implemented after node agent work is done on master (hopefully soon). The work is not very complex when node agent is ready, and dunjut is also willing to help :) For anyone having a timing concern, please try dunjut's tool. |
My understanding about dunjut's tool is that it places certificates into the volumes that have been created in the istio-ingressgateway pods. |
@ZhiminXiang https://github.com/dunjut/cert-sync use FYI. https://github.com/dunjut/cert-sync#use-tls-secrets-in-istio-gateway |
@exiaohao Is this issue still relevant? What else is required to be done? |
This shouldn't have been closed until @myidpt's suggestion is either implemented or documented to be working? |
Can someone Please Re-Open this? This is not implemented or documented from what I can tell. Envoy appears to have implemented the Secret Discovery Service, and the Node Agent appears to have some implementation of the envoy secret discovery service but I am guessing that is for mtls cert refresh. If this does work for the Istio Gateway does anyone have details on how this works or how to set it up? |
Please see #9030. It should solve the multiple-tls-cert issue here. |
This issue has been automatically marked as stale because it has not had activity in the last 90 days. It will be closed in the next 30 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions. |
This issue has been automatically closed because it has not had activity in the last month and a half. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted". Thank you for your contributions. |
--what the problem is--
I have several TLS certificates for different domains on ingress-gateway,
But it seems support only one certificate which was
istio-ingressgateway-certs
from secret/tls (from https://istio.io/docs/tasks/traffic-management/secure-ingress/)How can I apply more than one certificate for different domains?
ps.
Why not use Kubernetes'
secret
to specify key & certificates instead of loading files like this:The text was updated successfully, but these errors were encountered: