Enable TLS ingress gateway for a single host

The istio-pilot charm provides two options to enable Transport Layer Security (TLS) ingress gateway for a single host:

• Integrating with a TLS certificate provider: used when it is desired that all the certificate handling gets done by a TLS certificate provider charm, which can be connected to an external CA or a self-signed CA. This approach is recommended.

• Passing TLS certificate and key values: used when the Charmed Kubeflow administrator wants to manually set the TLS certificate and private keys.

See more: TLS ingress gateway for a single host

Integrating with a TLS certificate provider

In the charm ecosystem, a TLS certificate provider is a charm that helps handling X.509 certificates creation, renewal, and revocation using the tls-interface.

The following can be used as TLS certificate providers depending on the use case or security requirements of an organisation:

• For development or non-production environments, the istio-pilot charm can be related to the self-signed-certificates-operator.
• For environments where certificates are managed by the organisation, the tls-certificates-operator can be used.
• For deployments where it is desired to use ACME servers for validation (like Let’s encrypt), you can use any of httpreq-acme-operator, namecheap-acme-operator, or route53-acme-operator.

See more: Security with X.509 certificates

To integrate with the istio-pilot, run:

juju relate istio-pilot:certificates <TLS certificate provider>:certificates

This triggers a mechanism in istio-pilot that will automatically configures the Ingress Gateway to use the TLS certificate and key generated by the TLS certificates provider.

Remove TLS configuration

Remove the relation between istio-pilot and the TLS certificate provider, this will make the Ingress Gateway change to the default HTTP mode:

juju remove-relation istio-pilot:certificates <TLS certificate provider>:certificates

Passing TLS certificate and key values

This feature allows passing the TLS certificate and private key values directly to the istio-pilot charm to configure TLS. The versions of the istio-pilot that have this feature are:

• 1.17
• 1.18
• 1.19
• 1.20
• 1.21
• 1.22

To pass the TLS certificate and key values, do the following:

1. Create a user secret to hold the TLS certificate and key values (as strings):

juju add-secret istio-tls-secret tls-crt="$(cat CERT_FILE)" tls-key=$"$(cat KEY_FILE)"

where

• tls-crt holds the value of the TLS certificate file as a string
• tls-key holds the value of the TLS key file as a string

2. Grant istio-pilot access to the secret:

juju grant-secret istio-tls-secret istio-pilot

3. Pass the secret ID as a configuration:

juju config istio-pilot tls-secret-id=secret:<secret ID resulting from step 1>

Migrating from configuration to action

As mentioned before, passing the TLS certificate and key using juju secrets is replacing the ssl-* configuration options. The migration is as simple as juju refresh istio-pilot, but have the following considerations:

1. The ssl-key and ssl-crt values passed as configuration options will be lost, it is recommended to save them before upgrading.
2. A downtime is expected while upgrading to newer versions of istio-pilot as the Ingress Gateway has to be reconfigured. This is expected to happen between the juju refresh command and the time after running the set-tls action.
3. Migrating and not setting the TLS certificate and private key values can lead to unexpected results. Make sure they are set.

To upgrade and re-configure, do the following:

1. Get existing configuration values and save them:

juju config istio-pilot ssl-crt
juju config istio-pilot ssl-key

2. Refresh the istio-operators charms to the desired version:

juju refresh istio-pilot --channel $ISTIO_PILOT_CHANNEL
juju refresh istio-ingressgateway --channel $ISTIO_INGRESSGATEWAY_CHANNEL
juju status istio-pilot/<unit-number> --wait 5s # Wait for the unit to go to active and idle

3. Pass TLS certificate and key using juju secrets.