README
¶
istio-csr
cert-manager-istio-csr is an agent which allows for istio workload and control plane components to be secured using cert-manager. Certificates facilitating mTLS, inter and intra cluster, will be signed, delivered and renewed using cert-manager issuers.
Currently supports istio versions v1.7+
Installation
Firstly, cert-manager must be
installed in your cluster. An
issuer must be configured, which will be used to sign your certificate
workloads, as well a ready Certificate to serve istiod. Example Issuer and
istiod Certificate configuration can be found in
./hack/demo/cert-manager-bootstrap-resources.yaml.
Next, install the cert-manager-istio-csr into the cluster, configured to use
the Issuer deployed. The Issuer must reside in the same namespace as that
configured by -c, --certificate-namespace, which is istio-system by default.
$ helm repo add jetstack https://charts.jetstack.io
$ helm repo update
$ helm install -n cert-manager cert-manager-istio-csr jetstack/cert-manager-istio-csr
All helm value options can be found in here.
Finally, install istio. Istio must be installed using the IstioOperator
configuration changes within
./hack/istio-config-x.yaml. These changes are
required in order for the CA Server to be disabled in istiod, ensure istio
workloads request certificates from the cert-manager agent, and the istiod
certificates and keys are mounted in from the Certificate created earlier.
How
The cert-manager istio agent implements the gRPC istio certificate service, which authenticates, authorizes, and signs incoming certificate signing requests from istio workloads. This matches the behaviour of istiod in a typical installation, however enables these certificates to be signed through cert-manager.
Testing
To run the end to end tests, run;
$ make e2e
Directories