IstioPreview
mTLS traffic between Istio workload certs can be set up using cert-manager issued certificates.
To do this, a user would create a cert-manager issuer and deploy istio-csr configured to issue certificates from this issuer.
This can be done using TLS Protect for Kubernetes operator, which will also perform basic validation to ensure a suitable issuer type is used.
Configure access to the enterprise registry
🔑 Follow the instructions in Access to enterprise components to enable access to the artifacts required for this component. Use jetstack-secure as the namespace.
For the example below, we assume you created the following Kubernetes Secret: namespace: jetstack-secure name: jse-gcr-creds
Create an example setup with istio-csr
Create istio-system namespace
kubectl create namespace istio-system
Apply Installation resource:
kubectl apply -f - <<EOFapiVersion: operator.jetstack.io/v1alpha1kind: Installationmetadata:name: istio-examplespec:certManager: {}approverPolicy: {}images:secret: jse-gcr-creds # see https://platform.jetstack.io/documentation/configuration/js-operator/quickstartistioCSR:issuerRef:name: istio-caistioNamespace: istio-systemissuers:- name: istio-canamespace: istio-systemannotations:app.kubernetes.io/part-of: mesh-mtlsca:secretName: ca-secretselfSignedCA:commonName: istio-casubject:organizations:- cluster.local- cert-managerEOF
For this Installation TLS Protect for Kubernetes Operator will create:
-
cert-manager installation in jetstack-secure Namespace with the default approver disabled
-
an istio-ca cluster-scoped CA issuer, a self-signed issuer that issues the root cert for the CA issuer and the actual root cert[1]
-
an istio-csr installation in jestack-secure Namespace, configured to work with the istio-ca issuer
-
approver-policy installation in jetstack-secure Namespace
-
a CertificateRequestPolicy for the issuer that restricts that only certificates for \*foo.com DNS names can be requested from this issuer, the minimum key size is 2048 bits and the maximum duration is 1 hour
-
RBAC that allows cert-manager ServiceAccount to use the created CertificateRequestPolicy
Wait for the Installation to become ready:
kubectl wait --for=condition=Ready=True installation/istio-example --timeout=120s
This should not take more than a minute or a few.
Observe information about the created components and resources on Installation spec:
kubectl get installation istio-example -ojsonpath='{range .status.conditions[*]}{"type:"}{.type}{" status:"}{.status}{" reason:"}{.reason}{" message:"}{.message}{"\n"}{end}'
Install istioctl:
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.14.1 TARGET_ARCH=x86_64 sh - && \cd istio-1.14.1
Deploy Istio configured to use istio-csr as a certificate authority for workload certificates:
./bin/istioctl install -f https://platform.jetstack.io/documentation/configuration/js-operator/istio/v1.14.1-istio-config.yaml
Create an example application:
kubectl apply -f https://platform.jetstack.io/documentation/configuration/js-operator/istio/sample-deployment.yaml
This command will create:
-
a sandbox namespace labeled with istio-injection: enabled which ensures that Istio injects Envoy proxies to pods
-
a PeerAuthentication that enforces STRICT mTLS between pods
-
a simple Deployment with 5 pods
Wait for the Deployment to become ready.
Verify that the TLS certificate for Envoy proxy on any one of the pods in sandbox namespace is issued by cert-manager:
Make sure you have jq and openssl installed.
./bin/istioctl proxy-config secret <pod-name>.sandbox --output json | jq -r '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' | base64 -d | openssl x509 -text -noout
Next steps
- 1.
a CA issuer backed by a root cert issued by the self-signed issuer is not recommended to be used in production ↩