Enable TLS ingress gateway for a single host

The istio-pilot charm provides two options to enable TLS ingress gateway for a single host:

• Integrating with a TLS certificate provider - used when it is desired that all the certificate handling gets done by a TLS certificate provider charm, which can be connected to an external CA or a self-signed CA. This approach is recommended.

• Using the set-tls action - used when the Charmed Kubeflow administrator wants to manually set the TLS certificate and private keys.

See more: TLS ingress gateway for a single host

Integrating with a TLS certificate provider

In the charm ecosystem, a TLS certificates provider is a charm that helps handling X.509 certificates creation, renewal, and revocation using the tls-interface.

The following can be used as TLS certificates providers depending on the use case or security requirements of an organisation:

• For development or non-production environments, the istio-pilot charm can be related to the self-signed-certificates-operator.
• For environments where certificates are managed by the organisation, the tls-certificates-operator can be used.
• For deployments where it is desired to use ACME servers for validation (like Let’s encrypt), you can use any of httpreq-acme-operator, namecheap-acme-operator, or route53-acme-operator.

See more: Security with X.509 certificates

To integrate with the istio-pilot, just:

juju relate istio-pilot:certificates <TLS certificates providers>:certificates

This will trigger an mechanism in istio-pilot that will automatically configure the Ingress Gateway to use the TLS certificate and key that was generated by the TLS certificates provider.

Remove TLS configuration

Remove the relation between istio-pilot and the TLS certificate provider, this will make the Ingress Gateway change to the default HTTP mode.

Using set-tls action

This feature allows passing the TLS certificate and private key values directly to the istio-pilot charm to configure TLS. The versions of the istio-pilot that have this feature are:

• 1.17
• 1.18
• 1.19
• 1.20

Set TLS configuration

To configure TLS, simply:

$ juju run istio-pilot/<unit-number> set-tls ssl-crt="$(cat CERT_FILE)" ssl-key="$(cat KEY_FILE)"

where,

• ssl-crt is the TLS certificate as a string
• ssl-key is the TLS private key as a string
• unit-number is the number of the unit shown in the output of juju status

This will trigger a mechanism in istio-pilot that will automatically configure the Ingress Gateway to use the TLS certificate and private key that is passed by the action.

Unset TLS configuration

To remove any traces of the TLS configuration:

$ juju run istio-pilot/<unit-number> unset-tls

This will make the Ingress Gateway change to the default HTTP mode.

Migrating from configuration to action

As mentioned before, the set-tls action is replacing the ssl-* configuration options. The migration is as simple as juju refresh istio-pilot, but have the following considerations:

1. The ssl-key and ssl-crt values passed as configuration options will be lost, it is recommended to save them before upgrading.
2. A downtime is expected while upgrading to newer versions of istio-pilot as the Ingress Gateway has to be reconfigured. This is expected to happen between the juju refresh command and the time after running the set-tls action.
3. Migrating and not setting the TLS certificate and private key values with the action can lead to unexpected results. Make sure they are set using the action.

Performing an upgrade and re-configuring is as simple as:

juju refresh istio-pilot --channel $ISTIO_PILOT_CHANNEL
juju status istio-pilot/<unit-number> --wait 5s # Wait for the unit to go to active and idle
juju run set-tls istio-pilot/<unit-number> ssl-crt="$(cat CERT_FILE)" ssl-key="$(cat KEY_FILE)"