Enable TLS ingress gateway for a single host

The istio-pilot charm provides two options to enable Transport Layer Security (TLS) ingress gateway for a single host:

See more: TLS ingress gateway for a single host

Integrating with a TLS certificate provider

In the charm ecosystem, a TLS certificate provider is a charm that helps handling X.509 certificates creation, renewal, and revocation using the tls-interface.

The following can be used as TLS certificate providers depending on the use case or security requirements of an organisation:

See more: Security with X.509 certificates

To integrate with the istio-pilot, run:

juju relate istio-pilot:certificates <TLS certificate provider>:certificates

This triggers a mechanism in istio-pilot that will automatically configures the Ingress Gateway to use the TLS certificate and key generated by the TLS certificates provider.

Remove TLS configuration

Remove the relation between istio-pilot and the TLS certificate provider, this will make the Ingress Gateway change to the default HTTP mode:

juju remove-relation istio-pilot:certificates <TLS certificate provider>:certificates

Passing TLS certificate and key values


:warning: Passing the TLS certificate and private key values will NOT BE SUPPORTED after Charmed Kubeflow 1.9. It is recommended that a TLS certificates provider is used instead.

This feature replaces the ssl-crt and ssl-key configuration options that were removed in Charmed Kubeflow 1.8. For migration steps, please see Migrating from configuration.

Juju 3.4 or above is required.

This feature allows passing the TLS certificate and private key values directly to the istio-pilot charm to configure TLS. The versions of the istio-pilot that have this feature are:

  • 1.17
  • 1.18
  • 1.19
  • 1.20
  • 1.21
  • 1.22

To pass the TLS certificate and key values, do the following:

  1. Create a user secret to hold the TLS certificate and key values (as strings):
juju add-secret istio-tls-secret tls-crt="$(cat CERT_FILE)" tls-key=$"$(cat KEY_FILE)"


  • tls-crt holds the value of the TLS certificate file as a string
  • tls-key holds the value of the TLS key file as a string
  1. Grant istio-pilot access to the secret:
juju grant-secret istio-tls-secret istio-pilot
  1. Pass the secret ID as a configuration:
juju config istio-pilot tls-secret-id=secret:<secret ID resulting from step 1>

Migrating from configuration to action

As mentioned before, passing the TLS certificate and key using juju secrets is replacing the ssl-* configuration options. The migration is as simple as juju refresh istio-pilot, but have the following considerations:

  1. The ssl-key and ssl-crt values passed as configuration options will be lost, it is recommended to save them before upgrading.
  2. A downtime is expected while upgrading to newer versions of istio-pilot as the Ingress Gateway has to be reconfigured. This is expected to happen between the juju refresh command and the time after running the set-tls action.
  3. Migrating and not setting the TLS certificate and private key values can lead to unexpected results. Make sure they are set.

To upgrade and re-configure, do the following:

  1. Get existing configuration values and save them:
juju config istio-pilot ssl-crt
juju config istio-pilot ssl-key
  1. Refresh the istio-operators charms to the desired version:
juju refresh istio-pilot --channel $ISTIO_PILOT_CHANNEL
juju refresh istio-ingressgateway --channel $ISTIO_INGRESSGATEWAY_CHANNEL
juju status istio-pilot/<unit-number> --wait 5s # Wait for the unit to go to active and idle
  1. Pass TLS certificate and key using juju secrets.

Last updated a month ago.