README
¶
istio-csr
istio-csr is an agent that allows for Istio workload and control plane components to be secured using cert-manager. Certificates facilitating mTLS, inter and intra cluster, will be signed, delivered and renewed using cert-manager issuers.
⚠️ Currently supports Istio versions v1.7+
⚠️ Currently supports cert-manager versions v1.3+
Installation
Installing cert-manager
Firstly, cert-manager must be installed in your cluster.
Issuer or ClusterIssuer
An Issuer or ClusterIssuer must be configured which will be used to sign Istio certificates against.
Here are examples of CA Issuer and ClusterIssuer configurations that are bootstrapped through self-signed issuers. It is advised to not use the CA Issuer type in production environments, and instead use an issuer who's CA private key material does not reside within the cluster.
It is important to use an issuer type that is able to sign Istio mTLS workload certificates (SPIFFE URI SANs) and istiod serving certificates. ACME issuers will not work.
If using an Issuer rather than the ClusterIssuer type, the Issuer must reside in
the same namespace as that configured by --certificate-namespace on istio-csr,
istio-system by default.
Installing istio-csr
Next, install istio-csr into the cluster, configured to use the Issuer or ClusterIssuer installed earlier.
⚠️ It is highly recommended that the root CA certificates are statically defined in istio-csr. If they are not, istio-csr will "discover" the root CA certificates when requesting its serving certificate, effectively making istio-csr TOFU.
Discover root CAs installation
$ helm repo add jetstack https://charts.jetstack.io
$ helm repo update
$ kubectl create namespace istio-system
$ helm install -n cert-manager cert-manager-istio-csr jetstack/cert-manager-istio-csr
Load root CAs from file ca.pem (Preferred)
$ helm repo add jetstack https://charts.jetstack.io
$ helm repo update
$ kubectl create namespace istio-system
$ kubectl create secret generic istio-root-ca --from-file=ca.pem=ca.pem -n cert-manager
$ helm install -n cert-manager cert-manager-istio-csr jetstack/cert-manager-istio-csr \
--set "app.tls.rootCAFile=/var/run/secrets/istio-csr/ca.pem" \
--set "volumeMounts[0].name=root-ca" \
--set "volumeMounts[0].mountPath=/var/run/secrets/istio-csr" \
--set "volumes[0].name=root-ca" \
--set "volumes[0].secret.secretName=istio-root-ca"
All helm value options can be found here.
Installing Istio
If you are running Openshift, prepare the cluster for Istio. Follow instructions from Istio platform setup guide.
Finally, install Istio. Istio must be installed using the IstioOperator
configuration changes within
./hack/istio-config-x.yaml. Later versions
of Istio share the same config.
For OpenShift set the profile as --set profile=openshift.
These config options are required in order for the CA Server to be disabled in istiod, ensure Istio workloads request certificates from istio-csr, and the istiod certificates and keys are mounted from the Certificate created when installing istio-csr.
How
The cert-manager Istio agent implements the gRPC Istio certificate service which authenticates, authorizes, and signs incoming certificate signing requests from Istio workloads. This matches the behaviour of istiod in a typical installation, however enables these certificates to be signed through cert-manager.
Directories