The istio-pilot
charm provides two options to enable Transport Layer Security (TLS) ingress gateway for a single host:
-
Integrating with a TLS certificate provider: used when it is desired that all the certificate handling gets done by a TLS certificate provider charm, which can be connected to an external CA or a self-signed CA. This approach is recommended.
-
Passing TLS certificate and key values: used when the Charmed Kubeflow administrator wants to manually set the TLS certificate and private keys.
See more: TLS ingress gateway for a single host
Integrating with a TLS certificate provider
In the charm ecosystem, a TLS certificate provider is a charm that helps handling X.509 certificates creation, renewal, and revocation using the tls-interface
.
The following can be used as TLS certificate providers depending on the use case or security requirements of an organisation:
- For development or non-production environments, the
istio-pilo
t charm can be related to the self-signed-certificates-operator. - For environments where certificates are managed by the organisation, the tls-certificates-operator can be used.
- For deployments where it is desired to use ACME servers for validation (like Let’s encrypt), you can use any of httpreq-acme-operator, namecheap-acme-operator, or route53-acme-operator.
See more: Security with X.509 certificates
To integrate with the istio-pilot
, run:
juju relate istio-pilot:certificates <TLS certificate provider>:certificates
This triggers a mechanism in istio-pilot
that will automatically configures the Ingress Gateway to use the TLS certificate and key generated by the TLS certificates provider.
Remove TLS configuration
Remove the relation between istio-pilot
and the TLS certificate provider, this will make the Ingress Gateway change to the default HTTP mode:
juju remove-relation istio-pilot:certificates <TLS certificate provider>:certificates
Passing TLS certificate and key values
Passing the TLS certificate and private key values will NOT BE SUPPORTED after Charmed Kubeflow 1.9. It is recommended that a TLS certificates provider is used instead.
This feature replaces the ssl-crt and ssl-key configuration options that were removed in Charmed Kubeflow 1.8. For migration steps, please see Migrating from configuration.
Juju 3.4 or above is required.
This feature allows passing the TLS certificate and private key values directly to the istio-pilot
charm to configure TLS. The versions of the istio-pilot
that have this feature are:
- 1.17
- 1.18
- 1.19
- 1.20
- 1.21
- 1.22
To pass the TLS certificate and key values, do the following:
- Create a user secret to hold the TLS certificate and key values (as strings):
juju add-secret istio-tls-secret tls-crt="$(cat CERT_FILE)" tls-key=$"$(cat KEY_FILE)"
where
tls-crt
holds the value of the TLS certificate file as a stringtls-key
holds the value of the TLS key file as a string
- Grant
istio-pilot
access to the secret:
juju grant-secret istio-tls-secret istio-pilot
- Pass the secret ID as a configuration:
juju config istio-pilot tls-secret-id=secret:<secret ID resulting from step 1>
Migrating from configuration to action
As mentioned before, passing the TLS certificate and key using juju secrets is replacing the ssl-*
configuration options. The migration is as simple as juju refresh istio-pilot
, but have the following considerations:
- The
ssl-key
andssl-crt
values passed as configuration options will be lost, it is recommended to save them before upgrading. - A downtime is expected while upgrading to newer versions of
istio-pilot
as the Ingress Gateway has to be reconfigured. This is expected to happen between thejuju refresh
command and the time after running theset-tls
action. - Migrating and not setting the TLS certificate and private key values can lead to unexpected results. Make sure they are set.
To upgrade and re-configure, do the following:
- Get existing configuration values and save them:
juju config istio-pilot ssl-crt
juju config istio-pilot ssl-key
- Refresh the
istio-operators
charms to the desired version:
juju refresh istio-pilot --channel $ISTIO_PILOT_CHANNEL
juju refresh istio-ingressgateway --channel $ISTIO_INGRESSGATEWAY_CHANNEL
juju status istio-pilot/<unit-number> --wait 5s # Wait for the unit to go to active and idle
- Pass TLS certificate and key using juju secrets.