istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.12/blog/2020/alb-ingress-gateway-iks/index.html

208 lines
37 KiB
HTML
Raw Blame History

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Direct encrypted traffic from IBM Cloud Kubernetes Service Ingress to Istio Ingress Gateway"><meta name=description content="Configure the IBM Cloud Kubernetes Service Application Load Balancer to direct traffic to the Istio Ingress gateway with mutual TLS."><meta name=author content="Vadim Eisenberg (IBM)"><meta name=keywords content="microservices,services,mesh,traffic-management,ingress,sds-credentials,iks,mutual-tls"><meta property="og:title" content="Direct encrypted traffic from IBM Cloud Kubernetes Service Ingress to Istio Ingress Gateway"><meta property="og:type" content="website"><meta property="og:description" content="Configure the IBM Cloud Kubernetes Service Application Load Balancer to direct traffic to the Istio Ingress gateway with mutual TLS."><meta property="og:url" content="/v1.12/blog/2020/alb-ingress-gateway-iks/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-whitelogo-bluebackground-framed.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="1024"><meta property="og:image:height" content="1024"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.12 / Direct encrypted traffic from IBM Cloud Kubernetes Service Ingress to Istio Ingress Gateway</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.12/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.12/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.12/feed.xml><link rel="shortcut icon" href=/v1.12/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.12/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.12/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.12/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.12/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.12/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.12/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.12/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.12/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.12/favicons/android-192x192.png sizes=192x192><link rel=mask-icon href=/v1.12/favicons/safari-pinned-tab.svg color=#466bb0><link rel=manifest href=/v1.12/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.12/css/all.css><link rel=preconnect href=https://fonts.gstatic.com><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.12/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.12";const docTitle="Direct encrypted traffic from IBM Cloud Kubernetes Service Ingress to Istio Ingress Gateway";const iconFile="\/v1.12/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.12/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.12/><span class=logo><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371 7.869 7.869.0 013.066-4.178 9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span></a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation"><svg class="icon menu-hamburger"><use xlink:href="/v1.12/img/icons.svg#menu-hamburger"/></svg></button>
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.12/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>About</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.12/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.12/about/service-mesh class=main-navigation-links-link>Service mesh</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.12/about/solutions class=main-navigation-links-link>Solutions</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.12/about/case-studies class=main-navigation-links-link>Case studies</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.12/about/ecosystem class=main-navigation-links-link>Ecosystem</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.12/about/deployment class=main-navigation-links-link>Deployment</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.12/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.12/blog/ class=main-navigation-links-link><span>Blog</span></a></li><li class=main-navigation-links-item><a href=/v1.12/news/ class=main-navigation-links-link><span>News</span></a></li><li class=main-navigation-links-item><a href=/v1.12/get-involved/ class=main-navigation-links-link><span>Get involved</span></a></li><li class=main-navigation-links-item><a href=/v1.12/docs/ class=main-navigation-links-link><span>Documentation</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title="Search this site" aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.12/img/icons.svg#magnifier"/></svg></button>
<a href=/v1.12/docs/setup/getting-started class="btn btn--primary" id=try-istio>Try Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/search>
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label="Search this site" placeholder=Search>
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon menu-close"><use xlink:href="/v1.12/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container><a href=/v1.12/news/releases/1.12.x/announcing-1.12.3/ class=banner data-title="Latest Release-2022-02-11 00:00:00 +0000 UTC" data-period-start=1644537600000 data-period-end=1645142400000 data-max-impressions=3 data-timeout><div class=content><p>Istio 1.12.3 is now available! Click here to learn more</p></div><div class=frame></div></a></div><article class=post itemscope itemtype=http://schema.org/BlogPosting><div class=header-content><h1>Direct encrypted traffic from IBM Cloud Kubernetes Service Ingress to Istio Ingress Gateway</h1><p>Configure the IBM Cloud Kubernetes Service Application Load Balancer to direct traffic to the Istio Ingress gateway with mutual TLS.</p></div><p class=post-author>May 15, 2020 <span>|</span> By Vadim Eisenberg - IBM</p><div><p>In this blog post I show how to configure the <a href="https://cloud.ibm.com/docs/containers?topic=containers-ingress-about">Ingress Application Load Balancer (ALB)</a>
on <a href=https://www.ibm.com/cloud/kubernetes-service/>IBM Cloud Kubernetes Service (IKS)</a> to direct traffic to the Istio
ingress gateway, while securing the traffic between them using <span class=term data-title="Mutual TLS Authentication" data-body='<p>Mutual TLS provides strong service-to-service authentication with built-in identity and credential management.
<a href="/docs/concepts/security/#mutual-tls-authentication">Learn more about mutual TLS authentication</a>.</p>'>mutual TLS authentication</span>.</p><p>When you use IKS without Istio, you may control your ingress traffic using the provided ALB. This ingress-traffic
routing is configured using a Kubernetes
<a href=https://kubernetes.io/docs/concepts/services-networking/ingress/>Ingress</a> resource with
<a href="https://cloud.ibm.com/docs/containers?topic=containers-ingress_annotation">ALB-specific annotations</a>. IKS provides a
DNS domain name, a TLS certificate that matches the domain, and a private key for the certificate. IKS stores the
certificates and the private key in a <a href=https://kubernetes.io/docs/concepts/configuration/secret/>Kubernetes secret</a>.</p><p>When you start using Istio in your IKS cluster, the recommended method to send traffic to your Istio enabled workloads
is by using the <a href=/v1.12/docs/tasks/traffic-management/ingress/ingress-control/>Istio Ingress Gateway</a> instead of using the
<a href=https://kubernetes.io/docs/concepts/services-networking/ingress/>Kubernetes Ingress</a>. One of the main reasons to use
the Istio ingress gateway is the fact the ALB provided by IKS will not be able to communicate directly with the services
inside the mesh when you enable STRICT mutual TLS. During your transition to having only Istio ingress gateway as your
main entry point, you can continue to use the traditional Ingress for non-Istio services while using the Istio ingress
gateway for services that are part of the mesh.</p><p>IKS provides a convenient way for clients to access Istio ingress gateway by letting you
<a href="https://cloud.ibm.com/docs/containers?topic=containers-loadbalancer_hostname">register a new DNS subdomain</a> for the
Istio gateway&rsquo;s IP with an IKS command. The domain is in the following
<a href="https://cloud.ibm.com/docs/containers?topic=containers-loadbalancer_hostname#loadbalancer_hostname_format">format</a>:
<code>&lt;cluster_name>-&lt;globally_unique_account_HASH>-0001.&lt;region>.containers.appdomain.cloud</code>, for example <code>mycluster-a1b2cdef345678g9hi012j3kl4567890-0001.us-south.containers.appdomain.cloud</code>. In the same way as for the ALB domain,
IKS provides a certificate and a private key, storing them in another Kubernetes secret.</p><p>This blog describes how you can chain together the IKS Ingress ALB and the Istio ingress gateway to send traffic to your
Istio enabled workloads while being able to continue using the ALB specific features and the ALB subdomain name. You
configure the IKS Ingress ALB to direct traffic to the services inside an Istio service mesh through the Istio ingress
gateway, while using mutual TLS authentication between the ALB and the gateway. For the mutual TLS authentication, you
will configure the ALB and the Istio ingress gateway to use the certificates and keys provided by IKS for the ALB and
NLB subdomains. Using certificates provided by IKS saves you the overhead of managing your own certificates for the
connection between the ALB and the Istio ingress gateway.</p><p>You will use the NLB subdomain certificate as the server certificate for the Istio ingress gateway as intended.
The NLB subdomain certificate represents the identity of the server that serves a particular NLB subdomain, in this
case, the ingress gateway.</p><p>You will use the ALB subdomain certificate as the client certificate in mutual TLS authentication between the ALB and
the Istio Ingress. When ALB acts as a server it presents the ALB certificate to the clients so the clients can
authenticate the ALB. When ALB acts as a client of the Istio ingress gateway, it presents the same certificate to the
Istio ingress gateway, so the Istio ingress gateway could authenticate the ALB.</p><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-warning"/></svg></div><div class=content>Note that the instructions in this blog post only configure the ALB and the Istio ingress gateway to encrypt the traffic
between them and to verify that they receive valid certificates issued by <a href=https://letsencrypt.org>Let&rsquo;s Encrypt</a>. In
order to specify that only the ALB is allowed to talk to the Istio ingress gateway, an additional Istio security policy
must be defined. In order to verify that the ALB indeed talks to the Istio ingress gateway, additional configuration
must be added to the ALB. The additional configuration of the Istio ingress gateway and the ALB is out of scope for this
blog.</div></aside></div><p>Traffic to the services without an Istio sidecar can continue to flow as before directly from the ALB.</p><p>The diagram below exemplifies the described setting. It shows two services in the cluster, <code>service A</code> and <code>service B</code>.
<code>service A</code> has an Istio sidecar injected and requires mutual TLS. <code>service B</code> has no Istio sidecar. <code>service B</code> can
be accessed by clients through the ALB, which directly communicates with <code>service B</code>. <code>service A</code> can be also
accessed by clients through the ALB, but in this case the traffic must pass through the Istio ingress gateway. Mutual
TLS authentication between the ALB and the gateway is based on the certificates provided by IKS.
The clients can also access the Istio ingress gateway directly. IKS registers different DNS domains for the ALB and for
the ingress gateway.</p><figure style=width:100%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:63.32720606343596%><a data-skipendnotes=true href=/v1.12/blog/2020/alb-ingress-gateway-iks/alb-ingress-gateway.svg title="A cluster with the ALB and the Istio ingress gateway"><img class=element-to-stretch src=/v1.12/blog/2020/alb-ingress-gateway-iks/alb-ingress-gateway.svg alt="A cluster with the ALB and the Istio ingress gateway"></a></div><figcaption>A cluster with the ALB and the Istio ingress gateway</figcaption></figure><h2 id=initial-setting>Initial setting</h2><ol><li><p>Create the <code>httptools</code> namespace and enable Istio sidecar injection:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl create namespace httptools
$ kubectl label namespace httptools istio-injection=enabled
namespace/httptools created
namespace/httptools labeled
</code></pre></li><li><p>Deploy the <code>httpbin</code> sample to <code>httptools</code>:</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.12/samples/httpbin/httpbin.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f @samples/httpbin/httpbin.yaml@ -n httptools
service/httpbin created
deployment.apps/httpbin created
</code></pre></div></li></ol><h2 id=create-secrets-for-the-alb-and-the-istio-ingress-gateway>Create secrets for the ALB and the Istio ingress gateway</h2><p>IKS generates a TLS certificate and a private key and stores them as a secret in the default namespace when you register
a DNS domain for an external IP by using the <code>ibmcloud ks nlb-dns-create</code> command. IKS stores the ALB&rsquo;s
certificate and private key also as a secret in the default namespace. You need these credentials to establish the
identities that the ALB and the Istio ingress gateway will present during the mutual TLS authentication between
them. You will configure the ALB and the Istio ingress gateway to exchange these certificates, to trust the certificates
of one another, and to use their private keys to encrypt and sign the traffic.</p><ol><li><p>Store the name of your cluster in the <code>CLUSTER_NAME</code> environment variable:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ export CLUSTER_NAME=&lt;your cluster name&gt;
</code></pre></li><li><p>Store the domain name of your ALB in the <code>ALB_INGRESS_DOMAIN</code> environment variable:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ ibmcloud ks cluster get --cluster $CLUSTER_NAME | grep Ingress
Ingress Subdomain: &lt;your ALB ingress domain&gt;
Ingress Secret: &lt;your ALB secret&gt;
</code></pre><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ export ALB_INGRESS_DOMAIN=&lt;your ALB ingress domain&gt;
$ export ALB_SECRET=&lt;your ALB secret&gt;
</code></pre></li><li><p>Store the external IP of your <code>istio-ingressgateway</code> service in an environment variable.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ export INGRESS_GATEWAY_IP=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath=&#39;{.status.loadBalancer.ingress[0].ip}&#39;)
$ echo INGRESS_GATEWAY_IP = $INGRESS_GATEWAY_IP
</code></pre></li><li><p>Create a DNS domain and certificates for the IP of the Istio Ingress Gateway service:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ ibmcloud ks nlb-dns create classic --cluster $CLUSTER_NAME --ip $INGRESS_GATEWAY_IP --secret-namespace istio-system
Host name subdomain is created as &lt;some domain&gt;
</code></pre></li><li><p>Store the domain name from the previous command in an environment variable:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ export INGRESS_GATEWAY_DOMAIN=&lt;the domain from the previous command&gt;
</code></pre></li><li><p>List the registered domain names:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ ibmcloud ks nlb-dnss --cluster $CLUSTER_NAME
Retrieving host names, certificates, IPs, and health check monitors for network load balancer (NLB) pods in cluster &lt;your cluster&gt;...
OK
Hostname IP(s) Health Monitor SSL Cert Status SSL Cert Secret Name Secret Namespace
&lt;your ingress gateway hostname&gt; &lt;your ingress gateway IP&gt; None created &lt;the matching secret name&gt; istio-system
...
</code></pre><p>Wait until the status of the certificate (the fourth field) of the new domain name becomes <code>enabled</code> (initially it is <code>pending</code>).</p></li><li><p>Store the name of the secret of the new domain name:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ export INGRESS_GATEWAY_SECRET=&lt;the secret&#39;s name as shown in the SSL Cert Secret Name column&gt;
</code></pre></li><li><p>Extract the certificate and the key from the secret provided for the ALB:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ mkdir alb_certs
$ kubectl get secret $ALB_SECRET --namespace=default -o yaml | grep &#39;tls.key:&#39; | cut -f2 -d: | base64 --decode &gt; alb_certs/client.key
$ kubectl get secret $ALB_SECRET --namespace=default -o yaml | grep &#39;tls.crt:&#39; | cut -f2 -d: | base64 --decode &gt; alb_certs/client.crt
$ ls -al alb_certs
-rw-r--r-- 1 user staff 3738 Sep 11 07:57 client.crt
-rw-r--r-- 1 user staff 1675 Sep 11 07:57 client.key
</code></pre></li><li><p>Download the issuer certificate of the <a href=https://letsencrypt.org>Let&rsquo;s Encrypt</a> certificate, which is the
issuer of the certificates provided by IKS. You specify this certificate as the certificate of a certificate
authority to trust, for both the ALB and the Istio ingress gateway.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ curl https://letsencrypt.org/certs/trustid-x3-root.pem --output trusted.crt
</code></pre></li><li><p>Create a Kubernetes secret to be used by the ALB to establish mutual TLS connection.</p><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-warning"/></svg></div><div class=content>The certificates provided by IKS expire every 90 days and are automatically renewed by
IKS 37 days before they expire.
You will have to recreate the secrets by rerunning the instructions of this section every time the secrets provided
by IKS are updated. You may want to use scripts or operators to automate this and keep the
secrets in sync.</div></aside></div><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl create secret generic alb-certs -n istio-system --from-file=trusted.crt --from-file=alb_certs/client.crt --from-file=alb_certs/client.key
secret &#34;alb-certs&#34; created
</code></pre></li><li><p>For mutual TLS, a separate Secret named <code>&lt;tls-cert-secret>-cacert</code> with a <code>cacert</code> key is needed for the ingress gateway.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl create -n istio-system secret generic $INGRESS_GATEWAY_SECRET-cacert --from-file=ca.crt=trusted.crt
secret/cluster_name-hash-XXXX-cacert created
</code></pre></li></ol><h2 id=configure-a-mutual-tls-ingress-gateway>Configure a mutual TLS ingress gateway</h2><p>In this section you configure the Istio ingress gateway to perform mutual TLS between external clients and the gateway.
You use the certificates and the keys provided to you for the ingress gateway and the ALB.</p><ol><li><p>Define a <code>Gateway</code> to allow access on port 443 only, with mutual TLS:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -n httptools -f - &lt;&lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: default-ingress-gateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: MUTUAL
credentialName: $INGRESS_GATEWAY_SECRET
hosts:
- &#34;$INGRESS_GATEWAY_DOMAIN&#34;
- &#34;httpbin.$ALB_INGRESS_DOMAIN&#34;
EOF
</code></pre></li><li><p>Configure routes for traffic entering via the <code>Gateway</code>:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -n httptools -f - &lt;&lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: default-ingress
spec:
hosts:
- &#34;$INGRESS_GATEWAY_DOMAIN&#34;
- &#34;httpbin.$ALB_INGRESS_DOMAIN&#34;
gateways:
- default-ingress-gateway
http:
- match:
- uri:
prefix: /status
route:
- destination:
port:
number: 8000
host: httpbin.httptools.svc.cluster.local
EOF
</code></pre></li><li><p>Send a request to <code>httpbin</code> by <em>curl</em>, passing as parameters the client certificate
(the <code>--cert</code> option) and the private key (the <code>--key</code> option):</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ curl https://$INGRESS_GATEWAY_DOMAIN/status/418 --cert alb_certs/client.crt --key alb_certs/client.key
-=[ teapot ]=-
_...._
.&#39; _ _ `.
| .&#34;` ^ `&#34;. _,
\_;`&#34;---&#34;`|//
| ;/
\_ _/
`&#34;&#34;&#34;`
</code></pre></li><li><p>Remove the directories with the ALB and ingress gateway certificates and keys.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ rm -r alb_certs trusted.crt
</code></pre></li></ol><h2 id=configure-the-alb>Configure the ALB</h2><p>You need to configure your Ingress resource to direct traffic to the Istio ingress gateway while using the certificate
stored in the <code>alb-certs</code> secret. Normally, the ALB decrypts HTTPS requests before forwarding traffic to your apps.
You can configure the ALB to re-encrypt the traffic before it is forwarded to the Istio ingress gateway by using the
<code>ssl-services</code> annotation on the Ingress resource. This annotation also allows you to specify the certificate stored in
the <code>alb-certs</code> secret, required for mutual TLS.</p><ol><li><p>Configure the <code>Ingress</code> resource for the ALB. You must create the <code>Ingress</code> resource in the <code>istio-system</code> namespace
in order to forward the traffic to the Istio ingress gateway.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: alb-ingress
namespace: istio-system
annotations:
ingress.bluemix.net/ssl-services: &#34;ssl-service=istio-ingressgateway ssl-secret=alb-certs proxy-ssl-name=$INGRESS_GATEWAY_DOMAIN&#34;
spec:
tls:
- hosts:
- httpbin.$ALB_INGRESS_DOMAIN
secretName: $ALB_SECRET
rules:
- host: httpbin.$ALB_INGRESS_DOMAIN
http:
paths:
- path: /status
backend:
serviceName: istio-ingressgateway
servicePort: 443
EOF
</code></pre></li><li><p>Test the ALB ingress:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ curl https://httpbin.$ALB_INGRESS_DOMAIN/status/418
-=[ teapot ]=-
_...._
.&#39; _ _ `.
| .&#34;` ^ `&#34;. _,
\_;`&#34;---&#34;`|//
| ;/
\_ _/
`&#34;&#34;&#34;`
</code></pre></li></ol><p>Congratulations! You configured the IKS Ingress ALB to send encrypted traffic to the Istio ingress gateway. You
allocated a host name and certificate for your Istio ingress gateway and used that certificate as the server certificate
for Istio ingress gateway. As the client certificate of the ALB you used the certificate provided by IKS for the ALB.
Once you had the certificates deployed as Kubernetes secrets, you directed the ingress traffic from the ALB to the Istio
ingress gateway for some specific paths and used the certificates for mutual TLS authentication between the ALB and the
Istio ingress gateway.</p><h2 id=cleanup>Cleanup</h2><ol><li><p>Delete the <code>Gateway</code> configuration, the <code>VirtualService</code>, and the secrets:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl delete ingress alb-ingress -n istio-system
$ kubectl delete virtualservice default-ingress -n httptools
$ kubectl delete gateway default-ingress-gateway -n httptools
$ kubectl delete secrets alb-certs -n istio-system
$ rm -rf alb_certs trusted.crt
$ unset CLUSTER_NAME ALB_INGRESS_DOMAIN ALB_SECRET INGRESS_GATEWAY_DOMAIN INGRESS_GATEWAY_SECRET
</code></pre></li><li><p>Shutdown the <code>httpbin</code> service:</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.12/samples/httpbin/httpbin.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl delete -f @samples/httpbin/httpbin.yaml@ -n httptools
</code></pre></div></li><li><p>Delete the <code>httptools</code> namespace:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl delete namespace httptools
</code></pre></li></ol></div><nav class=pagenav><div class=left><a title="Simplifying Istio upgrades by offering safe canary deployments of the control plane." href=/v1.12/blog/2020/multiple-control-planes/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.12/img/icons.svg#left-arrow"/></svg>Safely Upgrade Istio using a Canary Control Plane Deployment</a></div><div class=right><a title="Community partner tooling of Wasm for Istio by Solo.io." href=/v1.12/blog/2020/wasmhub-istio/ class=next-link>Extended and Improved WebAssemblyHub to Bring the Power of WebAssembly to Envoy and Istio<svg class="icon right-arrow"><use xlink:href="/v1.12/img/icons.svg#right-arrow"/></svg></a></div></nav></article><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.12/img/icons.svg#github"/></svg></a><a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.12/img/icons.svg#drive"/></svg></a><a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.12/img/icons.svg#slack"/></svg></a><a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.12/img/icons.svg#stackoverflow"/></svg></a><a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.12/img/icons.svg#twitter"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.12/><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371 7.869 7.869.0 013.066-4.178 9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.12/img/icons.svg#tick"/></svg>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh class=footer-languages-item>中文</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://policies.google.com/privacy>Privacy policy</a> |
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.12/content/en/blog/2020/alb-ingress-gateway-iks/index.md>Edit this Page on GitHub</a></li></ul><div class=footer-base><span class=footer-base-copyright>&copy; 2021 Istio Authors.</span>
<span class=footer-base-version>Version
Archive
1.12.3</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/blog\/2020\/alb-ingress-gateway-iks\/');return false;">current release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/blog\/2020\/alb-ingress-gateway-iks\/');return false;">next release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link role=menuitem href=https://istio.io/archive>older releases</a></li></ul></div></div></footer><script src=https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js defer></script><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon top"><use xlink:href="/v1.12/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink