Skip to content

fix: Add higress-controller:8889 cluster for ACME challenge route#262

Merged
johnlanni merged 1 commit into
higress-group:mainfrom
CH3CHO:fix/acme-support
May 13, 2026
Merged

fix: Add higress-controller:8889 cluster for ACME challenge route#262
johnlanni merged 1 commit into
higress-group:mainfrom
CH3CHO:fix/acme-support

Conversation

@CH3CHO
Copy link
Copy Markdown
Collaborator

@CH3CHO CH3CHO commented May 12, 2026
edited
Loading

The Let's Encrypt HTTPS certificate obtaining feature requires a temporary route pointing to higress-controller:8889 service for its HTTP-01 challenge.

https://github.com/higress-group/higress/blob/main/pkg/cert/ingress.go#L37

const (
	IngressClassName   = "higress"
	IngressServiceName = "higress-controller"
	IngressNamePefix   = "higress-http-solver-"
	IngressPathPrefix  = "/.well-known/acme-challenge/"
	IngressServicePort = 8889
)

Sample Virtual Service config:

{
  "apiVersion": "networking.istio.io/v1alpha3",
  "kind": "VirtualService",
  "metadata": {
    "annotations": {
      "internal.higress.io/cluster-id": ""
    },
    "name": "istio-autogenerated-k8s-ingress-higress-system-higress-http-solver-www-foo-com-3c4f64c1e7b5e505",
    "namespace": "higress-system"
  },
  "spec": {
    "gateways": [
      "higress-system/3c4f64c1e7b5e505",
      "istio-autogenerated-k8s-ingress-3c4f64c1e7b5e505"
    ],
    "hosts": [
      "www.foo.com"
    ],
    "http": [
      {
        "match": [
          {
            "uri": {
              "exact": "/.well-known/acme-challenge/_54X-6ScQXaRwuttmuVVUtFbeVB4UualX5DWw_pe4RQ"
            }
          },
          {
            "uri": {
              "prefix": "/.well-known/acme-challenge/_54X-6ScQXaRwuttmuVVUtFbeVB4UualX5DWw_pe4RQ/"
            }
          }
        ],
        "name": "higress-http-solver-www-foo-com",
        "route": [
          {
            "destination": {
              "host": "higress-controller.higress-system.svc.cluster.local",
              "port": {
                "number": 8889
              }
            },
            "weight": 100
          }
        ]
      }
    ]
  }
}

In standalone deployments, there is no K8s service discovery. So I just make it sample by creating the corresponding cluster using EnvoyFilter.

This PR fixes higress-group/higress#3789 .

@CH3CHO CH3CHO force-pushed the fix/acme-support branch from 154fec1 to 7ca2dc2 Compare May 13, 2026 01:02
johnlanni
johnlanni approved these changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@johnlanni johnlanni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@johnlanni johnlanni merged commit 75563d7 into higress-group:main May 13, 2026
4 checks passed
@CH3CHO CH3CHO deleted the fix/acme-support branch May 13, 2026 01:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@johnlanni johnlanni johnlanni approved these changes

@lexburner lexburner Awaiting requested review from lexburner lexburner is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

2 participants

@CH3CHO @johnlanni