UNCLASSIFIED - NO CUI

Skip to content

Updated istioGateway to Support Multiple Certificates

Jimmy Bourquerequested to merge
2662-Operatorless-Istio-Gateway-Fix into master

General MR

Summary

  • Modified istioGateway to accept a list of certificates for each gateway
  • Updated documentation and examples to reflect update

Relevant logs/screenshots

Output of kubectl get secrets -n istio-gateway after change:

image

Output of kubectl get gateway main-ingressgateway -n istio-gateway:

apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
  annotations:
    meta.helm.sh/release-name: main-ingressgateway
    meta.helm.sh/release-namespace: istio-gateway
  creationTimestamp: "2025-05-13T11:04:57Z"
  generation: 1
  labels:
    app.kubernetes.io/managed-by: Helm
    helm.toolkit.fluxcd.io/name: main-ingressgateway
    helm.toolkit.fluxcd.io/namespace: bigbang
  name: main-ingressgateway
  namespace: istio-gateway
  resourceVersion: "4498"
  uid: dfa5337e-cd28-4d37-96e6-54fd7b7d548c
spec:
  selector:
    app: main-ingressgateway
  servers:
  - hosts:
    - '*.dso.mil'
    port:
      name: https-public
      number: 8443
      protocol: HTTPS
    tls:
      credentialName: main-cert
      mode: SIMPLE
  - hosts:
    - software.af.mil
    port:
      name: https-cso
      number: 8443
      protocol: HTTPS
    tls:
      credentialName: cso-site-cert
      mode: SIMPLE

Prior to this update it was not possible to use multiple certificates and the certificates that were created simply had the name of the gateway with -cert appended (i.e. public-cert for a gateway named public)

Linked Issue

issue

Upgrade Notices

The certificate section structure for istioGateway has now changed to allow for multiple certificates to be used with a single gateway. As a result, the values schema should be updated as follows:

Original

istioGateway:
  values:
    gateways:
      custom:
        tls:
          cert: ...
          key: ...
          ca: ...

Updated

istioGateway:
  values:
    gateways:
      custom:
        gatewayCerts:
          - name: custom-cert
            tls:
              cert: ...
              key: ...
              ca: ...

The name property should match what is used in the credentialName property for the gateway:

Full Example

istioGateway:
  values:
    gateways:
      custom:
        gatewayCerts:
          - name: custom-cert
            tls:
              cert: ...
              key: ...
              ca: ...
        # These values are used to configure the `Gateway` CR we
        # create in the istio-gateway chart.
        gateway:
          servers:
            - hosts:
                - "*.example.com"
              port:
                name: http
                number: 8080
                protocol: HTTP
              tls:
                httpsRedirect: true
            - hosts:
                - "*.example.com"
              port:
                name: https
                number: 8443
                protocol: HTTPS
              tls:
                credentialName: custom-cert # this should match the <name> property in the list of certs under <gatewayCerts> to select the right secret
                mode: SIMPLE

If you have already started the process of migrating to beta istio, you can minimize the impact by simply ensuring the property matches the certificate that was already created previously.

Edited by Jimmy Bourque

Merge request reports

UNCLASSIFIED - NO CUI