Skip to main content

Certificates outside ACME

In some instances there is a requirement to use certificates not from ACME. This might be because DNS points to something other than SKIP LB, and traffic is routed to SKIP via other endpoints in kartverket.

Create certificate secret resource in istio-gateways

To be able to use a custom certificate we need a secret to mount to the gateway resource. This is a kubernetes.io/tls type secret and can be created via external secrets like this:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: star-matrikkel
namespace: istio-gateways
spec:
dataFrom:
- extract:
conversionStrategy: Default
decodingStrategy: Auto
key: star-matrikkel-no-key
refreshInterval: 1h
secretStoreRef:
kind: SecretStore
name: gsm
target:
creationPolicy: Owner
deletionPolicy: Retain
name: star-matrikkel # Secret in Kubernetes
template:
engineVersion: v2
mergePolicy: Replace
type: kubernetes.io/tls

This fetches the secret from Google Secret Manager. This secret should look like this:

{
"tls.crt":"[base64 encoded cert chain]",
"tls.key":"[base64 encoded tls.key]"
}

Edit the gateway resource

The gateway resource should then be updated with the new secret:

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: gateway-ingress
namespace: matrikkel-keycloak
spec:
selector:
app: istio-ingress-external
servers:
- hosts:
- auth.matrikkel.no
port:
name: http
number: 80
protocol: HTTP
- hosts:
- auth.matrikkel.no
port:
name: https
number: 443
protocol: HTTPS
tls:
credentialName: star-matrikkel # Secret created by externalsecret
mode: SIMPLE

If Skiperator is the gateway creator

When the gateway is created via Skiperator it will have a credentialName corresponding to the secret created by the certificate from Skiperator. Skiperator will reset configurations to its resources unless the resource labeled “skiperator.kartverket.no/ignore: "true"“. This will make skiperator ignore this specific resource during reconciliation loops.

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
labels:
skiperator.kartverket.no/ignore: "true"

This is meant to be a temporary solution, and ACME is the prefered way to get certificates in SKIP.

Change to ACME certificate

Non-Skiperator apps

Using ACME certificate on a non skiperator app requires a certificate resource, and using the resulting secret in the gateway. This resource must be created in the istio-gateways namespace and therefore in the skip-apps :

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: certificate-name
namespace: istio-gateways
spec:
dnsNames:
- appname.kartverket.no
issuerRef:
kind: ClusterIssuer
name: cluster-issuer
secretName: desired-secret-name

After this is created and the secret is created, the gateway resource can be edited, and spec.tls.credentialName set to the secret.

Skiperator apps

Remove the “skiperator.kartverket.no/ignore: "true"“ label, and skiperator will handle the rest.