Generate the self sign certificate for istio ingress gateway

Simple diagram for istio ingress gateway to access argo ui

argo.dev.local —-> istio-ingressgateway —-> argo server virtual service —-> argo distination rule —-> argo kubernetes service

Use the shell script generate the CA root certificate and csr for sub domain

add the certificate and private key to kubernetes secrets store

 1#!/usr/bin/env bash
 2
 3DOMAIN_NAME="dev.local"
 4
 5# create root CA  certificate
 6openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj "/O=$DOMAIN_NAME Inc./CN=$DOMAIN_NAME" -keyout $DOMAIN_NAME.key -out $DOMAIN_NAME.crt
 7
 8# create the sub domain private key
 9openssl req -out argo.$DOMAIN_NAME.csr -newkey rsa:2048 -nodes -keyout argo.$DOMAIN_NAME.key -subj "/CN=argo.$DOMAIN_NAME/O=argo from $DOMAIN_NAME"
10
11# create the sub domain certificate
12openssl x509 -req -days 365 -CA $DOMAIN_NAME.crt -CAkey $DOMAIN_NAME.key -set_serial 0 -in argo.$DOMAIN_NAME.csr -out argo.$DOMAIN_NAME.crt
13
14# create the k8s secrets
15kubectl create secret tls argo-dev-local-certs -n istio-system --key argo.$DOMAIN_NAME.key --cert argo.$DOMAIN_NAME.crt
16
17# create the openladp certificate
18openssl req -x509 -newkey rsa:4096 -nodes -subj '/CN=dc=mycomp,dc=test' -keyout /tmp-certs/tls.key -out /tmp-certs/tls.crt -days 365

To use the gateway istio resource define

 1apiVersion: networking.istio.io/v1alpha3
 2kind: Gateway
 3metadata:
 4  labels:
 5    app: istio-ingressgateway
 6  name: my-gateway
 7  namespace: istio-system
 8spec:
 9  selector:
10    istio: ingressgateway
11  servers:
12    - hosts:
13        - '*'
14      port:
15        name: http
16        number: 80
17        protocol: HTTP
18    - hosts:
19        - '*'
20      port:
21        name: https-443
22        number: 443
23        protocol: HTTPS
24      tls:
25        mode: SIMPLE
26        credentialName: argo-dev-local-certs

Create the VirtualService resource

 1apiVersion: networking.istio.io/v1alpha3
 2kind: VirtualService
 3metadata:
 4  name: argo-server
 5  namespace: argo
 6spec:
 7  hosts:
 8  - argo.dev.local
 9  gateways:
10  - istio-system/my-gateway
11  http:
12  - name: argo-server
13    route:
14      - destination:
15          host: argo-server.argo.svc.cluster.local
16          port:
17            number: 2746

Because the argo use selfsign to listener so need a DistinationRule to hold tls upstream

 1apiVersion: networking.istio.io/v1alpha3
 2kind: DestinationRule
 3metadata:
 4  name: tls-foo
 5  namespace: argo
 6spec:
 7  host: argo-server.argo.svc.cluster.local
 8
 9  trafficPolicy:
10    tls:
11      mode: SIMPLE

Useful openssl command

1# extract the crtificate pem file from base64 crt file
2openssl base64 -d -in test.crt -out k8s_crt.pem
3# decode the base64 private key to pem file
4openssl base64 -d -in test.key -out k8s_key.pem