Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Kubectl tls patch returning “not patched”

Tags:

ssl

amazon-web-services

kubernetes

istio

I am trying to patch istio-ingressgateway service with ACM by the following


kubectl -n istio-system patch service istio-ingressgateway -p "$(cat<<EOF
metadata:
  name: istio-ingressgateway
  namespace: istio-system
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:xx-xxxx-1:123456789:certificate/xxxx-xxx-xxxxxxxxxxx"
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
service.beta.kubernetes.io/aws-load-balancer-internal: "true"
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
spec:
  type: LoadBalancer
  externalTrafficPolicy: Cluster
  selector:
    app: istio-ingressgateway
    istio: ingressgateway
EOF
)"

but it is returning not patched. Whats wrong here?

like image 624
Akash Verma Avatar asked Mar 02 '23 03:03

Akash Verma

2 Answers

The problem is the indentation try to put your patch on a yaml file:

ingress_patch.yaml

metadata:
  name: istio-ingressgateway
  namespace: istio-system
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:xx-xxxx-1:123456789:certificate/xxxx-xxx-xxxxxxxxxxx"
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
    service.beta.kubernetes.io/aws-load-balancer-internal: "true"
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
spec:
  type: LoadBalancer
  externalTrafficPolicy: Cluster
  selector:
    app: istio-ingressgateway
    istio: ingressgateway

Then apply it as follows:

kubectl -n istio-system patch service istio-ingressgateway -p "$(cat ./ingress_patch.yaml)"
like image 58
wolmi Avatar answered Mar 05 '23 14:03

wolmi

I am posting this as a community wiki answer for better visibility.

As I mentioned in comments there is related github issue about Istio Ingress TLS key management use ACM.

Despite what @wolmi said what is true, because the indentation was wrong, there are more issues which need to be covered when you're trying to combine istio with ELB and ACM.

It's well described in 3 below answers.

Especially worth to take look and 3 below comments from above github issue.

  • Answer provided by @cmcconnell1.
  • Answer provided by @eduardobaitello
  • Answer provided by @eduardobaitello

Additionally there is a thread about that on discuss.istio.io

like image 31
Jakub Avatar answered Mar 05 '23 14:03

Jakub

Sign in to Comment

Related questions

AWS StepFunction with Invoke Child Workflow state using cloud formation giving in
What is standard practice for storing private SSH keys for AWS Lambda
Github actions - pass secret variables to render ECS task definition action
Failing to set up SSH tunnel to private AWS API gateway API
Taint eks node-group
Debugging AWS HTTP API (beta) JWT Authorizer
How to deploy SAM stack with localstack?
API Gateway with Static Elastic IP
Mixing Terraform and Serverless Framework
AWS API Gateway + Lambda + EC2 returning 503 Service Unavailable error in 5 seconds
NetworkPlugin cni failed to set up pod "xxxxx" network: failed to set bridge addr: "cni0" already has an IP address different from10.x.x.x - Error
AWS Elastic Beanstalk chown PythonPath error
How to attach existing EC2 instances to auto scaling group in terraform?
How do I add Secrets Manager IAM permission?
Why is it not popular to have a mobile application send crash log to ELK
Cannot publish into aws beanstalk from vs2019

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!