Replies: 2 comments 7 replies
-
|
Put no hostname at the gateway level, cert-manager will catch the httproute and create the corresponding cert. apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: cert-httproute
namespace: yournamespace
spec:
parentRefs:
- name: gateway-name
namespace: yournamespece
sectionName: section-name -in-gateway
hostnames: ["*.your.domain"]This works with AWS ALB which send no SNI to the gateway |
Beta Was this translation helpful? Give feedback.
-
|
Would you mind expanding on this answer @JLO974-2 ? I'm currently setting up a combination of Istio, Cert Manager and AWS Load Balancer Controller (with External DNS), and I'm a bit confused as how to get this to work. |
Beta Was this translation helpful? Give feedback.
-
|
What @JLO974-2 is suggesting doesn't seem to be working. The gateway reports "bad config" due to missing hostname on the listener and cert manager isn't creating any certificates. apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: istio-gateway
annotations:
networking.istio.io/service-type: ClusterIP
cert-manager.io/cluster-issuer: letsencrypt-production
spec:
gatewayClassName: istio
listeners:
- name: http
hostname: "*.k8s.eu-north-1.ops.company.com"
port: 80
protocol: HTTP
allowedRoutes:
namespaces:
from: All
- name: https
port: 443
protocol: HTTPS
allowedRoutes:
namespaces:
from: All
tls:
mode: Terminate
certificateRefs:
- name: echo-server-tlsapiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: echo-server
spec:
parentRefs:
- name: istio-gateway
namespace: istio-ingress
sectionName: https
hostnames:
- "echo.k8s.eu-north-1.ops.company.com"
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: echo-service
port: 8080if I add the wildcard hostname from the HTTP listener, I get a certificate - but it's a wildcard cert which is not what I want. |
Beta Was this translation helpful? Give feedback.
-
|
If you need multiple certificates with specific names, you can test to have one httproute for each certificate. should works too. |
Beta Was this translation helpful? Give feedback.
-
Since it doesn't even work for me with one HTTPRoute, I'm doubtful it will work more than one. 😏 So weird, I don't see any real differences from your setup and mine. Other than I'm using the v1 of the Gateway and I have a specific hostname and not a wildcard one. I'm using the cert-manager v1.16.2 chart. |
Beta Was this translation helpful? Give feedback.
-
|
Oh, and I'm using an NLB, but I don't see how that would affect anything. It's cert-manager not even reacting when a listener without a hostname is present. Cert manager reports to the Gateway "bad config" because the listener is missing hostname. |
Beta Was this translation helpful? Give feedback.
-
|
I have no more log of the message gateway bad config, perhaps I had it when I created the gateway a few month ago. |
Beta Was this translation helpful? Give feedback.
-
|
According to the docs:
|
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I am trying out Certifificate manager with Kubernetes Gateway API and I want to use the same Gateway for HTTPRoute from different namespaces.
The challenge I am facing is, this Gateway needs to support multiple certificates so I can't use
cert-manager.io/common-nameannotation on it because it does not make sense to use the same common name on all certificates.Does anyone know how we can do
cert-manager.io/common-name: <hostname>and hostname bing dynamic for each cert?Beta Was this translation helpful? Give feedback.
All reactions