istio-csr
istio-csr is an agent that allows for Istio workload and
control plane components to be secured using
cert-manager.
Certificates facilitating mTLS — both inter
and intra-cluster — will be signed, delivered and renewed using cert-manager
issuers.
istio-csr supports Istio v1.10+ and cert-manager v1.3+
Documentation
Please follow the documentation at
cert-manager.io for installing and
using istio-csr.
Inner workings
istio-csr has 3 main components: the TLS certificate obtainer, the gRPC server and the CA bundle distributor.
- The TLS certificate obtainer is responsible for obtaining the TLS certificate for the gRPC server.
It uses the cert-manager API to create a CertificateRequest resource, which will be picked up by cert-manager and signed by the configured issuer.
- The gRPC server is responsible for receiving certificate signing requests from istiod and sending back the signed certificate.
Herefore, it uses the cert-manager CertificateRequest API to obtain the signed certificate.
- The CA bundle distributor is responsible for creating and updating istio-ca-root-cert ConfigMaps in all namespaces (filtered using namespaceSelector).