Istio + Cert-Manager + Let’s Encrypt

[yacut]

Istio (Envoy) + Cert-Manager + Let’s Encrypt for TLS guide does not work with Istio 0.8.0 any more ...

The problem is that Istio 0.8.0 no longer support combining Kubernetes Ingress specs with Istio routing rules. So we can't create an ingress for /.well-known/acme-challenge/.* path and map it in the gateway.

I've tried to create mTLS setup for cert-manager and add Gateway/VirtualService. The problem here is that cert-manager create a cm-acme-http-solver-xxx pod in the istio-system namespace, which does not have the sidecard inject label...

Is there a solution for Istio 0.8.0 + CertManager 0.3.0? Some alternative solution would be also great...

[gyliu513]

@yacut did not go through the detail of this blog, one question, so with cert-manager, we will not need Citadel for cert management in istio mTLS?

Can you try edit the pod by adding follow annotation and restart pod?

annotations:
        sidecar.istio.io/inject: "true"

[yacut]

@gyliu513 unfortunately this will not help. Cert Manager creates for each certificate issue the cm-acme-http-solver-xxx temporary resources (pod, service and ingress) without sidecar.istio.io/inject: "true" annotation and the istio-system namespace has no istio-injection label:

$ kubectl get pod --all-namespaces 
cert-system    cert-manager-864896c6cd-4bszs                      2/2       Running     0          21m
default        details-v1-7b97668445-9d5dw                        2/2       Running     0          23h
default        productpage-v1-7bbdd59459-8k8tj                    2/2       Running     0          23h
default        ratings-v1-76dc7f6b9-n7p57                         2/2       Running     0          23h
default        reviews-v1-64545d97b4-756gv                        2/2       Running     0          23h
default        reviews-v2-8cb9489c6-ztx54                         2/2       Running     0          23h
default        reviews-v3-6bc884b456-225p8                        2/2       Running     0          23h
istio-system   cm-acme-http-solver-fvmj6                          1/1       Running     0          17m
istio-system   grafana-6bcb55748b-m8d8v                           1/1       Running     0          1d
istio-system   istio-citadel-85d65bfb4-n2v65                      1/1       Running     0          13h
istio-system   istio-cleanup-old-ca-wffm2                         0/1       Completed   0          1d
istio-system   istio-egressgateway-68ff555b46-2hhdl               1/1       Running     1          1d
istio-system   istio-ingressgateway-c99f56956-m86f8               1/1       Running     1          1d
istio-system   istio-mixer-post-install-l8vdc                     0/1       Completed   0          1d
istio-system   istio-pilot-566fd44cb9-rw5x7                       2/2       Running     0          13h
istio-system   istio-policy-6694bbcf7f-6wvsw                      2/2       Running     0          13h
istio-system   istio-sidecar-injector-645fddc6db-c6zds            1/1       Running     0          12h
istio-system   istio-statsd-prom-bridge-66d59f964d-gxz4d          1/1       Running     0          1d
istio-system   istio-telemetry-6b846c68d9-lvdrb                   2/2       Running     0          13h
istio-system   istio-tracing-cbcd767c7-7jvn7                      1/1       Running     0          1d
istio-system   prometheus-65844fff75-7zqmc                        1/1       Running     0          1d
istio-system   servicegraph-6598c77486-sfkjw                      1/1       Running     0          1d

$ kubectl get svc --all-namespaces
NAMESPACE      NAME                        TYPE           CLUSTER-IP      EXTERNAL-IP      PORT(S)                                                               AGE
cert-system    cm-acme-http-solver         ClusterIP      10.19.240.63    <none>           8089/TCP                                                              23m
default        details                     ClusterIP      10.19.245.218   <none>           9080/TCP                                                              23h
default        kubernetes                  ClusterIP      10.19.240.1     <none>           443/TCP                                                               1d
default        productpage                 ClusterIP      10.19.253.12    <none>           9080/TCP                                                              23h
default        ratings                     ClusterIP      10.19.249.113   <none>           9080/TCP                                                              23h
default        reviews                     ClusterIP      10.19.249.64    <none>           9080/TCP                                                              23h
istio-system   cm-acme-http-solver-w9gkj   NodePort       10.19.247.45    <none>           8089:31715/TCP                                                        19m
istio-system   grafana                     ClusterIP      10.19.248.95    <none>           3000/TCP                                                              1d
istio-system   istio-citadel               ClusterIP      10.19.253.144   <none>           8060/TCP,9093/TCP                                                     1d
istio-system   istio-egressgateway         ClusterIP      10.19.250.146   <none>           80/TCP,443/TCP                                                        1d
istio-system   istio-ingressgateway        LoadBalancer   10.19.249.46    xx.xxx.xxx.xxx   80:31380/TCP,443:31390/TCP,31400:31400/TCP                            1d
istio-system   istio-pilot                 ClusterIP      10.19.247.46    <none>           15003/TCP,15005/TCP,15007/TCP,15010/TCP,15011/TCP,8080/TCP,9093/TCP   1d
istio-system   istio-policy                ClusterIP      10.19.246.58    <none>           9091/TCP,15004/TCP,9093/TCP                                           1d
istio-system   istio-sidecar-injector      ClusterIP      10.19.252.199   <none>           443/TCP                                                               1d
istio-system   istio-statsd-prom-bridge    ClusterIP      10.19.246.124   <none>           9102/TCP,9125/UDP                                                     1d
istio-system   istio-telemetry             ClusterIP      10.19.242.213   <none>           9091/TCP,15004/TCP,9093/TCP,42422/TCP                                 1d
istio-system   prometheus                  ClusterIP      10.19.246.249   <none>           9090/TCP                                                              1d
istio-system   servicegraph                ClusterIP      10.19.243.109   <none>           8088/TCP                                                              1d
istio-system   tracing                     LoadBalancer   10.19.241.11    xx.xxx.xxx.xxx   80:32742/TCP                                                          1d
istio-system   zipkin                      ClusterIP      10.19.243.28    <none>           9411/TCP                                                              1d

$ kubectl get ingress --all-namespaces       
NAMESPACE      NAME                        HOSTS                  ADDRESS   PORTS     AGE
istio-system   cm-acme-http-solver-45jdg   bookinfo.example.com             80        22m

$ kubectl --namespace istio-system describe ingress cm-acme-http-solver-45jdg 
Name:             cm-acme-http-solver-45jdg
Namespace:        istio-system
Address:          
Default backend:  default-http-backend:80 (10.16.2.13:8080)
Rules:
  Host                  Path  Backends
  ----                  ----  --------
  bookinfo.example.com  
                        /.well-known/acme-challenge/xxx   cm-acme-http-solver-w9gkj:8089 (<none>)
Annotations:
  kubernetes.io/ingress.class:  none
Events:                         <none>

I think a solution could be a custom label for the cm-acme-http-solver pod, but if the cert-manager/cert-manager#622 PR will be merged, then mTLS setup for the cert manager is not an option any more.

The question here is: How can I include an ingress to the istio gateway?

Please see #6509 example. I hope this helps to understand the issue.

[gyliu513]

@yacut Does this help by adding the injection label to istio-system and re-depoy?

kubectl label namespace istio-system istio-injection=enabled

Also can you help my question: so with cert-manager, we will not need Citadel for cert management in istio mTLS?

[markns]

@yacut We've been using a DNS challenge provider with cert-manager on 0.8.

[yacut]

@gyliu513 This will not work, because we can't select a cm-acme-http-solver pod with dynamic labels to expose it.
I do not think that the CertManager can replace the Citadel. The main goal of the CertManager is to generate a trusted certificate (with LetsEncrypt) for the ingress resource. If the Citadel could generate browser trusted certificates, then there would be no reason to use the CertManager.

@markns Thanks for advice, but we do not use any of these dns providers. The
HTTP01 Challenge is only option for us now.

[prune998]

Hi there.
I'm the one who wrote the blog post cited here.

As of Istio 0.8.0 I recommend not using the HTTP challenge and go with the DNS01 one. I'm about to write a blog post about it.

There's still some issues here and I don't see any simple way to resolve them :

you can define only one Gateway per port

This means that if you have 1.site.com and 2.site.com both listening on the port 443, you have to create one Gateway with two hosts, something like :

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
  name: http-gateway
  namespace: test
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - 1.site.com
    port:
      name: https
      number: 443
      protocol: HTTPS
    tls:
      mode: SIMPLE
      privateKey: /etc/istio/ingressgateway-certs/1.key
      serverCertificate: /etc/istio/ingressgateway-certs/1.crt
  - hosts:
    - 2.site.com
    port:
      name: https
      number: 443
      protocol: HTTPS
    tls:
      mode: SIMPLE
      privateKey: /etc/istio/ingressgateway-certs/2.key
      serverCertificate: /etc/istio/ingressgateway-certs/2.crt

each hosts of a Gateway needs it's own certificate file inside THE SAME secret

As you can see above, each hosts have it's own certificate inside the same secret. This secret is named istio-ingressgateway-certs and is mounted to /etc/istio/ingressgateway-certs.
So you need to update this single secret everytime something change, like adding a new domain name.

The other solution here is to use the default tls secret, which will create only 2 files inside the sercret, tls.crt and tls.key.
Doing it this way require that :

• you create a multi-domain SSL certificate
• you define your Gateway so that every hosts use the same certificate files, something like :

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
  name: https-gateway
  namespace: test
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - 1.site.com
    port:
      name: https
      number: 443
      protocol: HTTPS
    tls:
      mode: SIMPLE
      privateKey: /etc/istio/ingressgateway-certs/tls.key
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
  - hosts:
    - 2.site.com
    port:
      name: https
      number: 443
      protocol: HTTPS
    tls:
      mode: SIMPLE
      privateKey: /etc/istio/ingressgateway-certs/tls.key
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt

In fact, doing it this way is the default behaviour of the latest Cert-Manager. Put all the FQDN (domain names) inside a single Certificate definition.
Ex :

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
  name: https-ingress-certs
  namespace: istio-system
spec:
  acme:
    config:
    - dns01:
        provider: aws-dns-prod
      domains:
      - 1.site.com
      - 2.site.com
  commonName: 1.site.com
  dnsNames:
  - 1.site.com
  - 2.site.com
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-prod
  secretName: istio-ingressgateway-certs     <-------------------- important

Then you will reach the next problem :

the Ingress Gateway does not reload the SSL from the secret when it is updated

If you've done all the above, Cert-Manager will create/refresh you certificate inside a secret used by the Ingress Gateway... a 10 days later the SSL certificate is refreshed... and it's never updated !
You'll have to kill the pod of the Ingress Gateway (and break your service) so it can start with the latest version of the certificate.
Same issue if you add a new domain name inside the certificate.

So, While I think I have a (ugly) solution to use Cert-Manager with Istio 0.8.0 and the new API, What is the plan so the IngressGateway can monitor the certificate and reload on change ?

Maybe (not tester) we could send a signal to the Ingress Gateway Envoy so it will hot reload the config and certificates (as the mounted Secret is updated as soon as it is changed from the API) ?
Maybe it's the Pilot's job to achieve that ?
Any thought from the Istio Devs ?

As a side note, I made a modification to Cert-Manager so it can put each certificate inside different files in the same secret. It's a dirty hack, but it's working. But as the Ingress Gateway does not reload on secret change, we still reach the same issue.

[yacut]

Could the hot reload issue be solved with vault integration? The cert manager supports vault, so the istio ingress gateway could also make it.

[munnerz]

Subscribing to this

Please also see cert-manager/cert-manager#733 for our longer term plans - some of the requirements around formatting of the TLS key secret seem to be an issue with Istio and not cert-manager, however I'm keen to hear the Istio teams views and input so we can adapt our own proposal to fit Istio well 😄

I recently merged cert-manager/cert-manager#622 which may also help with solving HTTP01 challenges. I've not had a chance to give it a go yet, but will update here when I do 😄

[yacut]

@munnerz It will only work with Istio <=0.7. I've tested certmanager 0.4.0 and istio 1.0.0/0.8.0 tomorrow, the problem is not solved, because with the Istio 0.8 release we have the Ingress Gateway instead of k8s Ingress and the challenge resolver pod is not in Istio Mesh.
With a custom label (or a label with certificate host) for the challenge resolver pod it would be possible to create a k8s svc for challenge resolvers and a Service Entry and then include it to Istio Mesh. I recently created an issue for it: cert-manager/cert-manager#672
I think a 'heavy' controller would also solve this problem.