The istio-pilot
charm provides two options to enable TLS ingress gateway for a single host:
-
Integrating with a TLS certificate provider - used when it is desired that all the certificate handling gets done by a TLS certificate provider charm, which can be connected to an external CA or a self-signed CA. This approach is recommended.
-
Using the
set-tls
action - used when the Charmed Kubeflow administrator wants to manually set the TLS certificate and private keys.
See more: TLS ingress gateway for a single host
Integrating with a TLS certificate provider
In the charm ecosystem, a TLS certificates provider is a charm that helps handling X.509 certificates creation, renewal, and revocation using the tls-interface
.
The following can be used as TLS certificates providers depending on the use case or security requirements of an organisation:
- For development or non-production environments, the
istio-pilo
t charm can be related to the self-signed-certificates-operator. - For environments where certificates are managed by the organisation, the tls-certificates-operator can be used.
- For deployments where it is desired to use ACME servers for validation (like Let’s encrypt), you can use any of httpreq-acme-operator, namecheap-acme-operator, or route53-acme-operator.
See more: Security with X.509 certificates
To integrate with the istio-pilot
, just:
juju relate istio-pilot:certificates <TLS certificates providers>:certificates
This will trigger an mechanism in istio-pilot
that will automatically configure the Ingress Gateway to use the TLS certificate and key that was generated by the TLS certificates provider.
Remove TLS configuration
Remove the relation between istio-pilot
and the TLS certificate provider, this will make the Ingress Gateway change to the default HTTP mode.
Using set-tls
action
Passing the TLS certificate and private key is a feature that will NOT BE SUPPORTED after Charmed Kubeflow 1.9. It is recommended that a TLS certificates provider is used instead.
This feature allows passing the TLS certificate and private key values directly to the istio-pilot
charm to configure TLS. The versions of the istio-pilot
that have this feature are:
- 1.17
- 1.18
- 1.19
- 1.20
This feature replaces the ssl-crt and ssl-key configuration options that were removed in Charmed Kubeflow 1.8. For migration steps, please see the instructions in Migrating from configuration to action.
Set TLS configuration
To configure TLS, simply:
$ juju run istio-pilot/<unit-number> set-tls ssl-crt="$(cat CERT_FILE)" ssl-key="$(cat KEY_FILE)"
where,
ssl-crt
is the TLS certificate as a stringssl-key
is the TLS private key as a stringunit-number
is the number of the unit shown in the output ofjuju status
This will trigger a mechanism in istio-pilot
that will automatically configure the Ingress Gateway to use the TLS certificate and private key that is passed by the action.
Unset TLS configuration
To remove any traces of the TLS configuration:
$ juju run istio-pilot/<unit-number> unset-tls
This will make the Ingress Gateway change to the default HTTP mode.
Migrating from configuration to action
As mentioned before, the set-tls
action is replacing the ssl-*
configuration options. The migration is as simple as juju refresh istio-pilot
, but have the following considerations:
- The
ssl-key
andssl-crt
values passed as configuration options will be lost, it is recommended to save them before upgrading. - A downtime is expected while upgrading to newer versions of
istio-pilot
as the Ingress Gateway has to be reconfigured. This is expected to happen between thejuju refresh
command and the time after running theset-tls
action. - Migrating and not setting the TLS certificate and private key values with the action can lead to unexpected results. Make sure they are set using the action.
Performing an upgrade and re-configuring is as simple as:
juju refresh istio-pilot --channel $ISTIO_PILOT_CHANNEL
juju status istio-pilot/<unit-number> --wait 5s # Wait for the unit to go to active and idle
juju run set-tls istio-pilot/<unit-number> ssl-crt="$(cat CERT_FILE)" ssl-key="$(cat KEY_FILE)"