test istio https requests local(macos)

generate certificate

brew install mkcert
brew install nss

mkdir -p ~/.cert
mkcert -key-file ~/.cert/key.pem -cert-file ~/.cert/cert.pem "api.ginta.com"

Enable the system to trust the generated certificate

mkcert -install

create kubernetes secret

kubectl create -n istio-system secret tls istio-ingressgateway-certs --key ginta.key.pem --cert ginta.cert.pem

restart istio-system ingressgateway pod

kubectl delete pod -n istio-system -l istio=ingressgateway

check the certificate is mounted in pod

kubectl exec -it -n istio-system $(kubectl -n istio-system get pods -l istio=ingressgateway -o jsonpath='{.items[0].metadata.name}') -- ls -al /etc/istio/ingressgateway-certs

drwxrwsrwt 3 root istio-proxy  120 Aug  7 02:56 .
drwxr-xr-x 7 root root        4096 Aug  7 02:56 ..
drwxr-sr-x 2 root istio-proxy   80 Aug  7 02:56 ..2023_08_07_02_56_02.3534626985
lrwxrwxrwx 1 root istio-proxy   32 Aug  7 02:56 ..data -> ..2023_08_07_02_56_02.3534626985
lrwxrwxrwx 1 root istio-proxy   14 Aug  7 02:56 tls.crt -> ..data/tls.crt
lrwxrwxrwx 1 root istio-proxy   14 Aug  7 02:56 tls.key -> ..data/tls.key

make sure that tls.crt and tls.key exist!

application gateway

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: devops-demo-gateway
spec:
  # The selector matches the ingress gateway pod labels.
  # If you installed Istio using Helm following the standard documentation, this would be "istio=ingress"
  selector:
    istio: ingressgateway # use istio default controller
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - "api.ginta.com"
    - port:
        #bind Https port(443)
        #this port is same as port of  ports.name=https istio-system.service.istio-ingressgateway
        number: 443
        name: https
        protocol: HTTPS
      #tls conf
      tls:
        #simple mode (Only the client needs to verify the server Https certificate, not MUTUAL)
        mode: SIMPLE
        #Mount the server certificate (corresponding to the previously defined secret tls isto ingressgateway certificates -- cert)
        serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
        #Mount the private key of the server (corresponding to the previously defined secret tls isto ingressgateway certs -- key)
        privateKey: /etc/istio/ingressgateway-certs/tls.key
      hosts:
        #hosts
        - "api.ginta.com"