AKS icon indicating copy to clipboard operation
AKS copied to clipboard
verified publisher icon Azure

[BUG] Cert-manager and letsencrypt does not work with Istio addon

Open pratiksharma-dev opened this issue 2 years ago • 2 comments

Describe the bug When creating ClusterIssuer, the http01 solver is not working with istio ingress class. Kindly check cluster issuer manifest here for reference: aks-istio-addon-setup/cluster-issuer.yaml at main · pratiksharma-dev/aks-istio-addon-setup (github.com). When I checked in my cluster there was no CRD present for istio ingress class. Even when I installed the CRD, I couldn't get letsencrypt http01 solver to work with istio. This works fine with OSS istio. At the end I used Gateway API and httproute to band aid this situation and make http01 solver work as shown here: aks-istio-addon-setup/gateway-api.yaml at main · pratiksharma-dev/aks-istio-addon-setup (github.com). But with this, I cannot use the istio ingress features and must stick to Gateway API.

To Reproduce Install cert-manager as described here: https://github.com/pratiksharma-dev/aks-istio-addon-setup/blob/main/README.md#setup-cert-manager Create ClusterIssuer and Certificate as shown here: https://github.com/pratiksharma-dev/aks-istio-addon-setup/blob/main/cluster-issuer.yaml https://github.com/pratiksharma-dev/aks-istio-addon-setup/blob/main/create-certificate.yaml

Expected behavior The http01 solver should be able to verify the challenge and the certificate should be in ready state

Screenshots image

Environment (please complete the following information):

  • CLI Version 2.55
  • Kubernetes version 1.26.10
  • CLI Extension version aks-preview: 0.5.173, k8s-extension: 1.5.2, k8s-configuration: 1.7.0

Additional context Add any other context about the problem here.

pratiksharma-dev avatar Jan 29 '24 07:01 pratiksharma-dev

Any update on this? I am having similar issues.

alixmacdonald10 avatar Apr 15 '24 06:04 alixmacdonald10

Any news on this topic?

Joerg-L avatar Jul 05 '24 16:07 Joerg-L

we are looking into this, will update soon.

deveshdama avatar Jul 31 '24 22:07 deveshdama

It may help some people on this thread but in the end I removed the AKS managed Istio add on and installed it myself via helm and it works.

alixmacdonald10 avatar Aug 09 '24 14:08 alixmacdonald10

we've identified the issue, the auto generated k8s ingress is not materialized as expected by cert-manager. We are working on the solution.

deveshdama avatar Aug 19 '24 23:08 deveshdama

@pratiksharma-dev - Kubernetes Ingress API isn't supported as part of Istio addon. In fact, in OSS Istio there's a push to add all new ingress capabilities under Kubernetes Gateway API support under Istio. Because there's a possibility that K8s Ingress support under Istio may be deprecated in future, it'd be hard to add support for that under addon and then cause breaking change for any user who takes a dependency on the same. We are currently working on Istio Gateway API support (there are multiple things to address - health probe fixes, support for canary upgrade,...) and tentatively this should be out in CY2024Q4 or may slip to CY2025Q1.

shashankbarsin avatar Aug 21 '24 04:08 shashankbarsin

@pratiksharma-dev - we've made changes to allow for kubernetes ingress as part of Istio addon. Here is an example walkthrough for the cert-manager let's encrypt integration.

deveshdama avatar Sep 09 '24 17:09 deveshdama

@pratiksharma-dev - we've made changes to allow for kubernetes ingress as part of Istio addon. Here is an example walkthrough for the cert-manager let's encrypt integration.

What revision does this apply to?

caffeinism avatar Oct 08 '24 08:10 caffeinism

this applies to all revisions asm-1-21 and above.

deveshdama avatar Oct 08 '24 20:10 deveshdama