Setup secure https connections

Tested with Let’s Encrypt certificates using Kubernetes Gateway API

  • Register domain in GoDaddy, and validate it is reachable (nslookup <your public domain>)

  • Generate lets’ encrypt certificates using cert-manager

  • Generate TLS secret, gateway listener

  • Expose your app/load balancer

Install cert manager

helm repo add jetstack https://charts.jetstack.io
helm repo update

helm install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--set crds.enabled=true \
--set "extraArgs={--enable-gateway-api}"

Obtain static public IP address

  • If using metalLB, Install load balancer

  • For AKS instances using Azure portal, Search for Public IP addresses, Click create (make sure the subscription and resource group name are in sync with your aks instance)

Create a cluster issuer for Let’s encrypt(clusterissuer.yaml)

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
    email: test@testcorp.com   -------------------> Provide a valid email address
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
    name: letsencrypt-prod
    solvers:
    - http01:
        gatewayHTTPRoute:
        parentRefs:
        - name: istio-gateway
            namespace: istio-system
            kind: Gateway

Apply the cluster issuer

kubectl apply -f clusterissuer.yaml

Create Gateway with https listener (gateway.yaml)

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: istio-gateway
namespace: istio-system
annotations:
    service.beta.kubernetes.io/azure-pip-name: << provide your static public ip resource name >>
spec:
gatewayClassName: istio
listeners:
- name: http
    protocol: HTTP
    port: 80
    allowedRoutes:
    namespaces:
        from: All
- name: https
    protocol: HTTPS
    port: 443
    hostname: test@testcorp.com ------------------------------> Change it with your valid public dns name
    allowedRoutes:
    namespaces:
        from: All
    tls:
    mode: Terminate
    certificateRefs:
    - kind: Secret
        name: aizen-acmetls

Apply the gateway

kubectl apply -f gateway.yaml

Create certificate resource(aizencert.yaml)

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: aizen-acmecert
namespace: istio-system
spec:
secretName: aizen-acmetls
issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
dnsNames:
- test@testcorp.com -----------------------------> Change it with your valid public dns name

Apply the certificate resource

kubectl apply -f aizencert.yaml

Validate/Test that dns is reachable and external IP (load balancer) is visible in the service

curl -vk http://test@testcorp.com  ---> Change it with your valid public dns name
kubectl -n istio-system get svc