Closed
Description
Implementation
Can be done just by editing the API service's respective annotation: service.beta.kubernetes.io/aws-load-balancer-ssl-cert.
To make it simpler to implement, we could only allow this to be changed if the user has initially provided an ACM.
As for where this could fit, we could add another generic CLI command that would only allow changing the SSL ARN for now.
The command could be cortex cluster update <field-to-update> <value-to-update-it-to>.
Context
Requested by Oldřich Šafář from the community Slack.
Temporary workaround
Install kubectl, run kubectl edit service ingressgateway-apis -n istio-system, and update the service.beta.kubernetes.io/aws-load-balancer-ssl-cert annotation accordingly.
Notes
- Update the networking docs: the SSL certificate section of the custom domain guide can be moved into the HTTPS guide.
Relevant code
istio.yaml.j2
{% if config.get('ssl_certificate_arn', '') != '' %}
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "{{ config['ssl_certificate_arn'] }}"
{% endif %}apis.yaml.j2
{% if config.get('ssl_certificate_arn', '') == '' %}
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*"
tls:
mode: SIMPLE
serverCertificate: /etc/istio/customgateway-certs/tls.crt
privateKey: /etc/istio/customgateway-certs/tls.key
{% else %}
- port:
number: 443
name: https
protocol: HTTP
hosts:
- "*"
{% endif %}cluster_config.go
if cc.SSLCertificateARN != nil {
exists, err := awsClient.DoesCertificateExist(*cc.SSLCertificateARN)
if err != nil {
return errors.Wrap(err, SSLCertificateARNKey)
}
if !exists {
return errors.Wrap(ErrorSSLCertificateARNNotFound(*cc.SSLCertificateARN, cc.Region), SSLCertificateARNKey)
}
}