The purpose of the controller is to watch labeled Gateway resources and construct Certificates within the defined CertificateNamespace.
- Istio maintains a validation constraint that enforces a servers
port.namemust be unique within the slice.
- Given a Gateway labeled for management by the controller.
- Inspect each Server entry and check if a Certificate exists.
- If not exists, Create the Certificate if
tls.Mode = SIMPLE - If exists, Update the Certificate with the server's hosts slice.
For example:
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: httpbin-gateway
namespace: default
labels:
"v1beta1.kanopy-platform.github.io/istio-cert-controller-inject-simple-credential-name": "true"
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "default/httpbin.example.com"
tls:
mode: SIMPLE- If the Gateway is annotated with
v1beta1.kanopy-platform.github.io/istio-cert-controller-issuerthe controller will set the ClusterIssuer accordingly. The controller WILL NOT verify that the ClusterIssuer exists.
The Gateway above will yield the following Certificate:
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: default-httpbin-gateway-https
namespace: certificateNamespace
spec:
dnsNames:
- 'httpbin.example.com'
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: selfsigned
secretName: default-httpbin-gateway-httpsNote, any Istio supported namespace prefix (default/httpbin.example.com) is removed before creating the certificate.