4/26/2023

Secure Gateway with Istio and Cert-Manager

 






The purpose of this document is to describe how we can set up Kubernetes Gateway using Gateway API with Istio and Cert-Manager.



You need to follow the first episode of this blog post series related to Istio. You can find it from the link below.


https://dhanuka84.blogspot.com/2023/04/using-istio-service-mesh-to-have-mtls.html



Steps:


  1. Save the root certificate


kubectl get -n istio-system secret istio-ca -ogo-template='{{index .data "tls.crt"}}' | base64 -d > root-crt.crt


  1. Create GateWay and HTTPRoute


Here we are going to use Kubernetes Gateway API to create a gateway.


Run below command to create a Gateway.


kubectl apply -f https://raw.githubusercontent.com/dhanuka84/my-istio/main/secure-gateway/gateway.yaml



cert-manager.io/issuer annotation should assign the correct issuer, in our case it’s istio-ca.



Now what happens is, with this annotation, cert-manager will create the certificate for the Gateway. You can see that httpbin-credential created in the same namespace.


It's the same we have configured in the Gateway configuration, see below.






Create HTTRoute


kubectl apply -f https://raw.githubusercontent.com/dhanuka84/my-istio/main/secure-gateway/HTTPRoute.yaml


Create a sample HTTP application


kubectl apply -f https://raw.githubusercontent.com/dhanuka84/my-istio/main/secure-gateway/httpbin.yaml



  1. Let’s test this HTTPS URL with the certificate


Get the Gateway port and host


kubectl wait --for=condition=ready gtw httpgateway -n istio-system


export INGRESS_HOST=$(kubectl get gtw httpgateway -n istio-system -o jsonpath='{.status.addresses[*].value}')


export SECURE_INGRESS_PORT=$(kubectl get gtw httpgateway -n istio-system -o jsonpath='{.spec.listeners[?(@.name=="https")].port}')



curl -v -HHost:httpbin.example.com --resolve "httpbin.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST" \

  --cacert root-crt.crt "https://httpbin.example.com:$SECURE_INGRESS_PORT/status/418"







Now let’s do something slightly different to the curl command. Instead of 418 we’ll use 200 and see.




curl -v -HHost:httpbin.example.com --resolve "httpbin.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST" \

  --cacert root-crt.crt "https://httpbin.example.com:$SECURE_INGRESS_PORT/status/200"





  1. Finally let’s monitor with Kiali


istioctl dashboard kiali


You can see that, HTTP traffic from Gateway to HTTPBin, using mTLS connections.
Posted by dhanuka ranasinghe at 4/26/2023 0 comments
Labels: , , ,
Subscribe to: Posts (Atom)