Could not configure istio ingressgateway using Azure KeyVault on AKS

[smuthusa]

We want to configure the istio ingress gateway to use SSL key & certificate from Azure KeyVault for our Azure managed AKS cluster(version 1.13.11).

The following links are followed

1. https://github.com/Azure/kubernetes-keyvault-flexvol (The ssl certificate is generated using letsencrypt) The step to import the key into keyvault given in the document is incorrect. it doesn't support the option -f, we had to use the --pem-file to import the key. The azure cli version 2.0.72 was used.
2. https://github.com/Azure/kubernetes-keyvault-flexvol/blob/master/docs/istio-tls-certificate.md ("1. Service Principal" way of accessing KeyKault is followed)

The private key and certificate are successfully mounted on istio-ingressgateway pod, but the file contents are not the actual one that is being uploaded into the Azure KeyVault. Due to this reason, the gateway is not able to accept SSL connections.

here are the volume configurations in Kubernetes deployment volumes:

• name: kv-certs flexVolume: driver: "azure/kv" secretRef: name: azure-keyvault-credential #This is a secret in kubernetes namespace options: usepodidentity: "false" usevmmanagedidentity: "false" keyvaultname: "my-keyvault" keyvaultobjectnames: "certificate;privkey" keyvaultobjecttypes: "cert;key" tenantid:

  volumeMounts:

  • name: kv-certs mountPath: /etc/istio/keyvault-certs readOnly: true

[smuthusa]

my fault, configuring the values to secret for keyvaultobjectnames solved the issue.