How to set up HTTPS with Istio and Kubernetes on GKE

laudenlaruto profile image Benjamin Sanvoisin Originally published at padok.fr ・2 min read

You would typically use annotations on Kubernetes ingress to set up HTTPS and static IP with GKE. Istio set up its own ingress load balancer which is of type ‘Service’ but GKE is not compatible with annotations of that type.
If you are not familiar with Kubernetes you can check out this article : https://www.padok.fr/en/blog/kubernetes-essentials-components-pods-services or if you want to live test this article setup your own Kubernetes cluster on GKE by following this article : https://www.padok.fr/en/blog/kubernetes-google-cloud-terraform-cluster

Cert-Manager with Kubernetes and GCP
You can use cert-manager with Kubernetes to set up HTTPS, the process is fairly straightforward. We’ll go through setting it up.
Setup Istio to work with cert-manager

istioctl manifest apply \
  --set values.gateways.istio-ingressgateway.sds.enabled=true \
  --set values.global.k8sIngress.enabled=true \
  --set values.global.k8sIngress.enableHttps=true \
  --set values.global.k8sIngress.gatewayName=ingressgateway

Setup certificate, make sure to set all env variables

cat <<EOF | kubectl apply -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
  name: ingress-cert
  namespace: istio-system
  secretName: ingress-cert
    name: letsencrypt-staging
    kind: ClusterIssuer
  commonName: $INGRESS_DOMAIN
    - http01:
        ingressClass: istio


If you require a production level certificate you can change the issuerRef name to letsencrypt instead of letsencrypt-staging
For more details on this setup you can go see their official documentation: https://istio.io/docs/tasks/traffic-management/ingress/ingress-certmgr/
And cert-manager documentation: https://docs.cert-manager.io/en/latest/

The rest of the article is avaible here : https://www.padok.fr/en/blog/https-istio-kubernetes


markdown guide