Deploying an HTTPS Website with Kubernetes, Istio, and cert-manager: Part 2

In this tutorial I’ll be walking you through you how to deploy an HTTPS microservice website using Kubernetes, Istio and Kubernetes cert-manager.

This is part 2 of a two-part series. The first part takes you through the Kubernetes cluster setup, installing and configuring Istio on that cluster, and deploying your first application on the cluster. In part 2 we’ll learn how to use Istio gateways, routes, and how to secure your website with Kubernetes cert-manager.


In order for our website to use HTTPS, we need to configure our Kubernetes cluster to use the cert-manager plugin. This plugin allows you to generate SSL certificates for your website automatically. To install cert-manager we'll use our Kubernetes package manager and friend Helm. Run the following 3 commands:

$ helm repo add jetstack 
$ helm repo update
$ helm install cert-manager jetstack/cert-manager \
--namespace istio-system \
--set installCRDs=true

When successful you’ll see a message:

cert-manager has been deployed successfully!In order to begin issuing certificates, you will need to set up a ClusterIssuer or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).More information on the different types of issuers and how to configure them can be found in our documentation: information on how to configure cert-manager to automatically provision Certificates for Ingress resources, take a look at the `ingress-shim` documentation:


The cert-manager relies on a new Kubernetes api-resource called an Issuer to... well... issue certificates. It will then store the certificate inside of a Kubernetes Secret, defined in the YAML of the issuer (called my-certificate-key in this example). Be sure to update your email address


Save the YAML and apply it:

$ kubectl apply -f my-issuer.yml created

You can verify the certificate was created by listing the secrets in the istio-system namespace. You should see an entry for my-certificate-key:

$ kubectl -n istio-system get secrets NAME              TYPE    DATA  AGE 
[ ... ]
my-certificate-key Opaque 1 5s


We’ve finally made it to where we can get our SSL certificate. To do this, we’ll create a new Certificate Kubernetes API resource. This certificate resource will, in this example, be called my-cert and live in the istio-system namespace. It will save it's certificate's .key and .crt files in a Kubernetes secret named my-ingress-cert. The issuerRef name must match the Issuer we created above, and the certificate must live in the same namespace as the istio-ingressgateway. Also don't forget to update your dnsNames.


Before applying your certificate YAML, double check that your domain is resolvable to your Istio Ingress Gateway IP address

$ nslookup YOURDOMAIN.COM Non-authoritative answer: 

Once confirmed, apply your certificate:

$ kubectl apply -f my-certificate.yml created

Listing the secrets of istio-system namespace should now include the my-ingress-cert secret:

$ kubectl get secret -n istio-system NAME              TYPE                DATA  AGE 
[ ... ]
my-certificate-key Opaque 1 17m
my-ingress-cert 2 15s


With our SSL certificate in place, the last thing we need to do is route the incoming traffic to our pods. This is all done by Istio Gateways and VirtualServices. Let’s create our first Istio gateway. We’ll create a new Gateway named bookinfo-gateway-https which will reside in the default Kubernetes namespace. The gateway will listen on port 80 for YOURDOMAIN.COM and redirect traffic to HTTPS Port 443. The gateway will also be listening on HTTPS/443 for YOURDOMAIN.COM and use the certificate we created in the previous step, my-ingress-cert


Apply the gateway YAML file:

$ kubectl apply -f my-gateway.yml created

Virtual Services

The last component of this that we need to set up are the Virtual Services. Similar to those in NGINX or Apache, we need to configure the routes that Istio will direct traffic that comes in on YOURDOMAIN.COM to. These routes are called "Virtual Services" and are defined by yet another YAML file. The virtual service will route all requests to /productpage, /static, /login, /logout, and /api/v1/products through the bookinfo-gateway-https gateway we created above and route it to the productpage service of the application. This productpage service was created when we deployed the bookinfo application in part 1 of this tutorial.


Apply your virtual services:

$ kubectl apply -f my-virtualservice.yml created

Hooray! You’ve done it! You should be able to go to https://YOURDOMAIN.COM/productpage and see the beautiful bookinfo example application deployed!




Web Developer, Marathon Runner, Coffee Drinker.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Algorand Python Code Along Series

What I learned from my first Advent of Code

Generasi Gigih — Week 1 Reflection

How to Run CRI-O 1.9.10 with OpenShift Container Platform 3.9 and Red Hat Enterprise Linux 7.4

Terraform | AWS ECS: Deploying docker app

Configure HAProxy Loadblancer With Dynamic Inventory using Ansible on AWS

CI/CD Labs Part 1 : Integrate Jenkins with Nexus Repository OSS

EP14: Assigning teams to features or services

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Web Developer, Marathon Runner, Coffee Drinker.

More from Medium

Kubernetes Probes: Startup, Liveness, Readiness

DevOps Round-Up CW17

Customizing the error code response for Client Certificate Authentication (mTLS) with NGINX ingress…

Create and Deploy a LAMP stack as a Helm Chart