istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/content/en/docs/ops/integrations/certmanager/index.md

2.7 KiB
Raw Permalink Blame History

title description weight keywords aliases
cert-manager Information on how to integrate with cert-manager. 20
integration
cert-manager
/docs/tasks/traffic-management/ingress/ingress-certmgr/
/docs/examples/advanced-gateways/ingress-certmgr/

cert-manager is a tool that automates certificate management. This can be integrated with Istio gateways to manage TLS certificates.

Configuration

Consult the cert-manager installation documentation to get started. No special changes are needed to work with Istio.

Usage

Istio Gateway

cert-manager can be used to write a secret to Kubernetes, which can then be referenced by a Gateway. To get started, configure a Certificate resource, following the cert-manager documentation. The Certificate should be created in the same namespace as the istio-ingressgateway deployment. For example, a Certificate may look like:

{{< text yaml >}} apiVersion: cert-manager.io/v1alpha2 kind: Certificate metadata: name: ingress-cert namespace: istio-system spec: secretName: ingress-cert commonName: my.example.com dnsNames:

  • my.example.com ... {{< /text >}}

Once we have the certificate created, we should see the secret created in the istio-system namespace. This can then be referenced in the tls config for a Gateway under credentialName:

{{< text yaml >}} apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: gateway spec: selector: istio: ingressgateway servers:

  • port: number: 443 name: https protocol: HTTPS tls: mode: SIMPLE credentialName: ingress-cert # This should match the Certifcate secretName hosts:
    • my.example.com # This should match a DNS name in the Certificate {{< /text >}}

Kubernetes Ingress

cert-manager provides direct integration with Kubernetes Ingress by configuring an annotation on the Ingress object. If this method is used, the Ingress must reside in the same namespace as the istio-ingressgateway deployment, as secrets will only be read within the same namespace.

Alternatively, a Certificate can be created as described in Istio Gateway, then referenced in the Ingress object:

{{< text yaml >}} apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress annotations: kubernetes.io/ingress.class: istio spec: rules:

  • host: my.example.com http: ... tls:
  • hosts:
    • my.example.com # This should match a DNS name in the Certificate secretName: ingress-cert # This should match the Certifcate secretName {{< /text >}}