Add repository
helm repo add jetstack https://charts.jetstack.io
helm repo update
Install Cert Manager
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.10.1 --set installCRDs=true
Apply the staging object
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: YOUR-EMAIL-GOES-HERE
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: istio
Apply the prod object
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: YOUR-EMAIL-GOES-HERE
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: istio
Apply Staging Certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: istio-ingressgateway-staging
namespace: gateway
spec:
secretName: istio-ingressgateway-staging
commonName: my.example.com
dnsNames:
- my.example.com
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
Wait until certificate is ready
kubectl get certificate -n gateway
Apply Prod Certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: istio-ingressgateway-prod
namespace: gateway
spec:
secretName: istio-ingressgateway-prod
commonName: my.example.com
dnsNames:
- my.example.com
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
Edit gateway yaml
kubectl edit gateway istio-ingressgateway -n gateway
Configure certificate secret. Set tls mode to "SIMPLE" and put the name of the secret.
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
annotations:
...
name: ...
namespace: ...
spec:
selector:
...
servers:
...
- hosts:
- ...
port:
...
tls:
mode: SIMPLE
credentialName: istio-ingressgateway-prod