Istio along nginx + cert-manager

1

Here is my current config :

  • rancher with rke2/1.31.9 + default nginx controller deployed ( 3 master, 6 workers)
  • kube-vip for provisioning the Load Balancer( I haven’t tried metallb) +nated IP ( 211.11.11.10)
  • istio according to specs for rke2/deployment
  • DNS that solves *.app.prod.domain to 211.11.11.10

GW definition::
apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
name: rke2prod-gateway
namespace: default
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- vault.app.prod.lb.dk
port:
name: http
number: 80
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- vault.app.prod.lb.dk
port:
name: https-vault
number: 443
protocol: HTTPS
tls:
credentialName: vault-cert-prod
mode: SIMPLE

VS definition:
apiVersion: ``networking.istio.io/v1
kind: VirtualService
metadata:
name: vault-vs
namespace: vault-prod
spec:
gateways:
- default/rke2prod-gateway
hosts:
- vault.app.prod.lb.dk
http:
- match:
- uri:
prefix: /.well-known/acme-challenge
route:
- destination:
host: cm-acme-http-solver.istio-system.svc.cluster.local
port:
number: 8089
- match:
- uri:
prefix: /
route:
- destination:
host: vault-active
port:
number: 8200

ClusterIssuer created in istion-system ns + cert also; cert + secrets were create accordingly !!
So far so good, but here is the issue::

curl -v https://vault.app.prod.lb.dk

  • Trying 211.11.11.10:443…
  • Connected to vault.app.prod.lb.dk (211.11.11.10) port 443
  • ALPN: curl offers http/1.1
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
  • CApath: none
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
  • ALPN: server accepted http/1.1
  • Server certificate:
  • subject: CN=vault.app.prod.lb.dk
  • start date: Aug 22 23:15:26 2025 GMT
  • expire date: Nov 20 23:15:25 2025 GMT
  • subjectAltName: host “vault.app.prod.lb.dk” matched cert’s “vault.app.prod.lb.dk

and if I executed curl once more….
curl -v https://`vault.app.prod.lb.dk`

  • Trying 211.11.11.10:443…
  • Connected to vault.app.prod.lb.dk (211.11.11.10) port 443
  • ALPN: curl offers http/1.1
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
  • CApath: none
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (OUT), TLS alert, unknown CA (560):
  • SSL certificate problem: self-signed certificate
  • Closing connection
    curl: (60) SSL certificate problem: self-signed certificate
    More details here: https://curl.se/docs/sslcerts.html

So, once istio is responding , 2nd time, nginx or randomly….

2

interesting fact,
I’m using 2 deployments for kube-vip !!
kube-vip-ds on ens224 → only for API server VIP (6443).
kube-vip-workers on ens192 → only for Service LoadBalancer VIPs

now I have modified the kube-vip daemonset to bind on inter ens224 and kube-vip-workers to bind on int ens192.
Like this everything seems to work almost flawless… but not sure why I had to use 2 diff interfaces…