Managing TLS keys and certs in Istio using Amazon’s ACM

Anshul Prakash
Mar 30 · 3 min read

This article discusses how to use Amazon’s AWS Certificate Manager (ACM) for TLS key management of Istio’s Ingressgateway in a kubernetes cluster.

We use AWS’s EKS to manage our Kubernetes clusters and use Istio as a service mesh. Managing a lot of microservices inside a Kubernetes cluster can be made easier using Istio. Istio’s ingress gateway also provides an easy way to manage traffic coming inside the cluster using gateways and virtual services.

In order to serve https traffic, there are various ways to manage TLS keys and certs. One of the ways is to use LetsEncrypt and it requires deploying some resources into the cluster and managing certificates and issuers. An easy way is to use Amazon’s AWS Certificate Manager (ACM) to manage the TLS certs and just use annotations to allow ingressgateway to use those certs.

We terminate the https traffic at the gateway and inside the cluster traffic is plain http. Architecture looks something like below:

Image for post
Image for post
Architecture Diagram

In order to achieve the above following steps need to be performed:

  1. Create a certificate in ACM: ARN of the certificate created will be used in the following steps
  2. Annotate Istio’s ingressgateway to use the cert: Below annotation needs to be added -

Additional annotations are needed to specify more details like backend protocol, ssl ports. I used the following command to add the annotations needed:

metadata:annotations:service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <<ARN_OF_CERTIFICATE>>service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcpservice.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"EOF)"
  • aws-load-balancer-backend-protocol is tcp to support both http and websocket traffic for the pods. This is important to get weboskcet connections working.
  • aws-load-balancer-ssl-ports is https as that is the name of port 443 in ingressgateway service
  • aws-load-balancer-connection-idle-timeout is 3600 to support websocket connections

3. Create a gateway to serve traffic:

I used the below yaml file to create the gateway needed —

It is important to have protocol as HTTP for port 443 as HTTPS traffic ends on the load balancer itself. yaml file can be viewed here.

Image for post
Image for post

Subscribe to FAUN topics and get your weekly curated email of the must-read tech stories, news, and tutorials 🗞️

Follow us on Twitter 🐦 and Facebook 👥 and Instagram 📷 and join our Facebook and Linkedin Groups 💬

Image for post
Image for post

If this post was helpful, please click the clap 👏 button below a few times to show your support for the author! ⬇

FAUN

The Must-Read Publication for Creative Developers & DevOps Enthusiasts

Sign up for FAUN

By FAUN

Medium’s largest and most followed independent DevOps publication. Join thousands of aspiring developers and DevOps enthusiasts Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Anshul Prakash

Written by

Software Engineer @ NOV | CKA & CKAD | Certified AWS SA Associate

FAUN

FAUN

The Must-Read Publication for Creative Developers & DevOps Enthusiasts. Medium’s largest DevOps publication.

Anshul Prakash

Written by

Software Engineer @ NOV | CKA & CKAD | Certified AWS SA Associate

FAUN

FAUN

The Must-Read Publication for Creative Developers & DevOps Enthusiasts. Medium’s largest DevOps publication.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store