Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Use credentialName to specify credential resource name and support mTLS for external cert management at ingress gateway. #11496
[APPROVALNOTIFIER] This PR is NOT APPROVED
If they are not already assigned, you can assign the PR to them by writing
The full list of commands accepted by this bot can be found here.
The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing
Feb 6, 2019
29 of 33 checks passed
This was referenced
Feb 22, 2019
I want to configure a mTLS ingress gateway, but
I run helm-chart
The I configure a certificate with
and a separate generic secret with
But the ingress-sds container throws following error:
When I look at secretfetcher then there is a delete statement for the cacert secret.
But I need the possibility to define the root-cert for the client side in a separate generic secret due to cert-manager generates only TLS-secrets.
Hi @thomschke, only one secret with secretName: istio-ingressgateway-certs is needed by ingress gateway agent. And this secret should contain key, server cert, and root cert for MUTUAL mode. The ingress gateway agent sends key and server cert in response to SDS request with resource name "istio-ingressgateway-certs", and sends root cert in response to SDS request with resource name "istio-ingressgateway-certs-cacert"
Hi @JimmyCYJ, thanks for your prompt reply.
What do you think?
@thomschke Thanks for providing more context. Is it possible to let cert-manager generate secret with key, server cert and root cert? Changing the ingress gateway agent to extract root cert by scanning secret name suffix is a kind of hack. This affects user experience and could mess up user setup. It would make more sense to let cert-manager provide an option to specify root cert.
Cert-Manager only create TLS Secrets, which are a kind of Secret that only contains a crt and key file and far and widely no help in sight
Yes, at first glance my FR looks like a hack. But in my opinion it's the only way to support auto-reloading for mTLS gateways in the moment.
BTW: Istio helm chart bundles
@JimmyCYJ you just found the biggest issue with Istio and Cert-Manager !
Your solution is to pre-create the secret
I won't rant again. Both Istio (Galley ?) and Cert-Manager need to do something to ease the creation and management of those certificates. I had a strong No on the Cert-Manager side, so far...