This article discusses how to use Amazon’s AWS Certificate Manager (ACM) for TLS key management of Istio’s Ingressgateway in a kubernetes cluster.
We use AWS’s EKS to manage our Kubernetes clusters and use Istio as a service mesh. Managing a lot of microservices inside a Kubernetes cluster can be made easier using Istio. Istio’s ingress gateway also provides an easy way to manage traffic coming inside the cluster using gateways and virtual services.
In order to serve https traffic, there are various ways to manage TLS keys and certs. One of the ways is to use LetsEncrypt and it requires deploying some resources into the cluster and managing certificates and issuers. An easy way is to use Amazon’s AWS Certificate Manager (ACM) to manage the TLS certs and just use annotations to allow ingressgateway to use those certs.
We terminate the https traffic at the gateway and inside the cluster traffic is plain http. Architecture looks something like below:
In order to achieve the above following steps need to be performed:
- Create a certificate in ACM: ARN of the certificate created will be used in the following steps
- Annotate Istio’s ingressgateway to use the cert: Below annotation needs to be added -
Additional annotations are needed to specify more details like backend protocol, ssl ports. I used the following command to add the annotations needed:
kubectl -n istio-system patch service istio-ingressgateway --patch "$(cat<<EOFmetadata:annotations:service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <<ARN_OF_CERTIFICATE>>service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcpservice.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"EOF)"
- aws-load-balancer-backend-protocol is tcp to support both http and websocket traffic for the pods. This is important to get weboskcet connections working.
- aws-load-balancer-ssl-ports is https as that is the name of port 443 in ingressgateway service
- aws-load-balancer-connection-idle-timeout is 3600 to support websocket connections
3. Create a gateway to serve traffic:
I used the below yaml file to create the gateway needed —
httpsRedirect: true # sends 301 redirect for http requests
It is important to have protocol as HTTP for port 443 as HTTPS traffic ends on the load balancer itself. yaml file can be viewed here.
Subscribe to FAUN topics and get your weekly curated email of the must-read tech stories, news, and tutorials 🗞️