Generate the self sign certificate for istio ingress gateway
Simple diagram for istio ingress gateway to access argo ui
argo.dev.local —-> istio-ingressgateway —-> argo server virtual service —-> argo distination rule —-> argo kubernetes service
Use the shell script generate the CA root certificate and csr for sub domain
add the certificate and private key to kubernetes secrets store
1#!/usr/bin/env bash
2
3DOMAIN_NAME="dev.local"
4
5# create root CA certificate
6openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj "/O=$DOMAIN_NAME Inc./CN=$DOMAIN_NAME" -keyout $DOMAIN_NAME.key -out $DOMAIN_NAME.crt
7
8# create the sub domain private key
9openssl req -out argo.$DOMAIN_NAME.csr -newkey rsa:2048 -nodes -keyout argo.$DOMAIN_NAME.key -subj "/CN=argo.$DOMAIN_NAME/O=argo from $DOMAIN_NAME"
10
11# create the sub domain certificate
12openssl x509 -req -days 365 -CA $DOMAIN_NAME.crt -CAkey $DOMAIN_NAME.key -set_serial 0 -in argo.$DOMAIN_NAME.csr -out argo.$DOMAIN_NAME.crt
13
14# create the k8s secrets
15kubectl create secret tls argo-dev-local-certs -n istio-system --key argo.$DOMAIN_NAME.key --cert argo.$DOMAIN_NAME.crt
16
17# create the openladp certificate
18openssl req -x509 -newkey rsa:4096 -nodes -subj '/CN=dc=mycomp,dc=test' -keyout /tmp-certs/tls.key -out /tmp-certs/tls.crt -days 365
To use the gateway
istio resource define
1apiVersion: networking.istio.io/v1alpha3
2kind: Gateway
3metadata:
4 labels:
5 app: istio-ingressgateway
6 name: my-gateway
7 namespace: istio-system
8spec:
9 selector:
10 istio: ingressgateway
11 servers:
12 - hosts:
13 - '*'
14 port:
15 name: http
16 number: 80
17 protocol: HTTP
18 - hosts:
19 - '*'
20 port:
21 name: https-443
22 number: 443
23 protocol: HTTPS
24 tls:
25 mode: SIMPLE
26 credentialName: argo-dev-local-certs
Create the VirtualService
resource
1apiVersion: networking.istio.io/v1alpha3
2kind: VirtualService
3metadata:
4 name: argo-server
5 namespace: argo
6spec:
7 hosts:
8 - argo.dev.local
9 gateways:
10 - istio-system/my-gateway
11 http:
12 - name: argo-server
13 route:
14 - destination:
15 host: argo-server.argo.svc.cluster.local
16 port:
17 number: 2746
Because the argo use selfsign to listener so need a DistinationRule
to hold tls upstream
1apiVersion: networking.istio.io/v1alpha3
2kind: DestinationRule
3metadata:
4 name: tls-foo
5 namespace: argo
6spec:
7 host: argo-server.argo.svc.cluster.local
8
9 trafficPolicy:
10 tls:
11 mode: SIMPLE
Useful openssl command
1# extract the crtificate pem file from base64 crt file
2openssl base64 -d -in test.crt -out k8s_crt.pem
3# decode the base64 private key to pem file
4openssl base64 -d -in test.key -out k8s_key.pem