Istio: How to redirect to HTTPS except for /.well-known/acme-challenge

Looking into the documentation:

• The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard.

As a workaround:

1. Please consider using DNS-01 challenge:

a) it only makes sense to use DNS-01 challenges if your DNS provider has an API you can use to automate updates.

b) using this approach you should consider additional security risk as stated in the docs:

Pros:You can use this challenge to issue certificates containing wildcard domain names.It works well even if you have multiple web servers.

Cons:*Keeping API credentials on your web server is risky.Your DNS provider might not offer an API.Your DNS API may not provide information on propagation times.

As mentioned here:

In order to be automatic, though, the software that requests the certificate will also need to be able to modify the DNS records for that domain. In order to modify the DNS records, that software will also need to have access to the credentials for the DNS service (e.g. the login and password, or a cryptographic token), and those credentials will have to be stored wherever the automation takes place. In many cases, this means that if the machine handling the process gets compromised, so will the DNS credentials, and this is where the real danger lies.

2. I would suggest also another approach to use some simple nginx pod which would redirect all http traffic to https.

There is a tutorial on medium with nginx configuration you might try to use.

apiVersion: v1kind: ConfigMapmetadata:  name: nginx-configdata:  nginx.conf: |    server {      listen 80 default_server;      server_name _;      return 301 https://$host$request_uri;    }---apiVersion: v1kind: Servicemetadata:  name: redirect  labels:    app: redirectspec:  ports:  - port: 80    name: http  selector:    app: redirect---apiVersion: apps/v1kind: Deploymentmetadata:  name: redirectspec:  replicas: 1  selector:    matchLabels:      app: redirect  template:    metadata:      labels:        app: redirect    spec:      containers:      - name: redirect        image: nginx:stable        resources:          requests:            cpu: "100m"        imagePullPolicy: IfNotPresent        ports:        - containerPort: 80        volumeMounts:        - mountPath: /etc/nginx/conf.d          name: config      volumes:      - name: config        configMap:          name: nginx-config

Additionally you would have to change your virtual service to send all the traffic except prefix: /.well-known/acme-challenge to nginx.

apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:  name: acme-solver  namespace: istio-systemspec:  hosts:  - "*"  gateways:  - acme-gateway  http:  - name: "acmesolver"    match:    - uri:        prefix: /.well-known/acme-challenge    route:    - destination:        host: reviews.prod.svc.cluster.local        port:          number: 8089  - name: "nginx"    route:    - destination:        host: nginx