Creating secure ingress gateways – Implementing Traffic Management, Security, and Observability with Istio

Secure ingress gateways are nothing but TLS-enabled ingress gateways. To enable TLS on an ingress gateway, we must provide it with a private key and a certificate chain. We will use a self-signed certificate chain for this exercise, but you must use a proper CA certificate chain in production. A CA certificate is a digital certificate that’s granted by a reputable CA, such as Verisign or Entrust, within a public key infrastructure (PKI). It plays a pivotal role in guaranteeing the security and reliability of digital interactions and transactions.

Let’s start by creating a root certificate and private key to sign certificates for our application by using the following command:
$ openssl req -x509 -sha256 -nodes -days 365 \
-newkey rsa:2048 -subj ‘/O=example Inc./CN=example.com’ \ -keyout example.com.key -out example.com.crt

Using the generated root certificate, we can now generate the server certificate and the key using the following commands:
$ openssl req -out blogapp.example.com.csr \
newkey rsa:2048 -nodes -keyout blogapp.example.com.key \ -subj “/CN=blogapp.example.com/O=blogapp organization” $ openssl x509 -req -sha256 -days 365 \
CA example.com.crt -CAkey example.com.key -set_serial 1 \ -in blogapp.example.com.csr -out blogapp.example.com.crt

The next step is to generate a Kubernetes TLS secret within the istio-ingress namespace for our ingress gateway to read it. However, as we don’t want to store the TLS key and certificate in our Git repository, we will use Google Secrets Manager instead. Therefore, let’s run the following command to do so:
$ echo -ne “{\”MONGO_INITDB_ROOT_USERNAME\”: \”root\”, \
\”MONGO_INITDB_ROOT_PASSWORD\”: \”itsasecret\”, \
\”blogapptlskey\”: \”$(base64 blogapp.example.com.key -w 0)\”, \ \”blogapptlscert\”: \”$(base64 blogapp.example.com.crt -w 0)\”}” | \ gcloud secrets versions add external-secrets –data-file=-Created version [2] of the secret [external-secrets].

Now, we must create an external secret manifest to fetch the keys and certificates from Secrets Manager and generate a TLS secret. The following manifest will help us achieve that:
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
name: blogapp-tls-credentials
namespace: istio-ingress
spec:
secretStoreRef:
kind: ClusterSecretStore
name: gcp-backend
target:
template:
type: kubernetes.io/tls
data:
tls.crt: “{{ .blogapptlscert | base64decode | toString }}”
tls.key: “{{ .blogapptlskey | base64decode | toString }}”
name: blogapp-tls-credentials
data:
secretKey: blogapptlskey remoteRef:
key: external-secrets
property: blogapptlskey
secretKey: blogapptlscert remoteRef:
key: external-secrets
property: blogapptlscert

Now, let’s create a directory within our Environment Repository and copy the external secret manifest there. Use the following commands for that:
$ mkdir ~/mdo-environments/manifests/istio-ingress
$ cp ~/modern-devops/ch15/security/blogapp-tls-credentials.yaml \ ~/mdo-environments/manifests/istio-ingress

Next, we need to modify the ingress gateway resource to configure TLS. To do so, we must modify the Gateway resource to the following:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: blog-app-gateway
namespace: blog-app
spec:
selector:
istio: ingress
servers:
port: number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: blogapp-tls-credentials
hosts:

• “*”

The gateway configuration is similar to the previous one, but instead of port 80, we’re using port 443 for HTTPS. We also have a tls section with a SIMPLE mode, which means it is a standard TLS connection. We’ve specified credentialName, pointing to the secret we created using the TLS key and certificate. Since all the setup is now ready, let’s commit and push the code using the following commands:
$ cp ~/modern-devops/ch15/security/gateway.yaml \
~/mdo-environments/manifests/blog-app/
$ cp ~/modern-devops/ch15/security/run-tests.yml \
~/mdo-environments/.github/workflows/
$ git add –all
$ git commit -m “Enabled frontend TLS”
$ git push

Wait for blog-app to sync. Once we’ve done this, we can access our application at https: //. With that, the connection coming into our application has been encrypted.

Though we’ve secured connection coming into our mesh, securing all internal service interactions with services using TLS within your service mesh would be good as an additional security layer. We’ll implement that next.