How to manage Certification using Istio for Kubernetes Cluster – 2

Seamless Guest Experience with Kafka Streams
Reading Time: 4 minutes


Istio manage certificates

In our old blog, we explored service mesh configuration using User Interface. Here, we will see how istio is able to manage certification for cluster. This blog covers left work of Part -1 where we explored on how istio itself creates certificates for cluster and manage certificates for cluster. We will see various ways the istio can add external certifications.

Terms to be known

  • Registration Authority(RA): key role to approve requests and sign the request if valid.
  • Certification Authority(CA): signing workload requests after RA approves it.
  • Public Key Infrastructure (PKI): a framework that enables the encryption of public keys and includes their affiliated crypto-mechanisms.
  • Certificate Signing Request (CSR): a specially formatted encrypted message sent from a Secure Sockets Layer (SSL) digital certificate applicant to a certificate authority (CA).

Kubernetes CSR Integration : When CA is not Istiod

  • the private key in cluster is not stored a secret
  • steps of K8s CSR
  1. CSR request by a Service/kubectl controller (requester)
  2. Approver approves on basis of content and requester
  3. Signer signs the request
  4. Signed certificate read by servce (requester)
CSR workflow

As you can see here in the picture

CSR example

Kubernetes CSR with cert manager

  • In Istio it is almost same:
  1. CSR requested by service / kubectl controller by gRPC to istiod
  2. istiod creates CSR (requestor) object, approves request
  3. Instead of Kubernetes, cert-manager signs request
  4. Istiod reads signed certificate
  5. Istiod responds to Servie with signed certificate

Note: Kubernetes and Istio work on same plane so Kubernetes signing the certificate can be problemetic

CSR manage certification with Istio

here we have used a cert manager to sign the certificates with Istiod as CA with the yaml

- name: K8S_SIGNER

the istio ca can be backed up some other issuer like vault by hashicorp.

Istio-CSR : no involvement of Istiod

certification mangement using istio without istiod

Using Vault

  • run vault pod on your cluster
$ helm install vault hashicorp/vault --namespace vault --create-namespace
NAME: vault
LAST DEPLOYED: Mon Aug  8 14:27:28 2022
STATUS: deployed
Thank you for installing HashiCorp Vault!

Now that you have deployed Vault, you should look over the docs on using
Vault with Kubernetes available here:

Your release is named vault. To learn more about the release, try:

  $ helm status vault
  $ helm get manifest vault

$ kubectl get pods -A
NAMESPACE     NAME                                    READY   STATUS    RESTARTS      AGE
kube-system   coredns-6d4b75cb6d-djq4p                1/1     Running   0             23m
kube-system   etcd-minikube                           1/1     Running   0             23m
kube-system   kube-apiserver-minikube                 1/1     Running   0             23m
kube-system   kube-controller-manager-minikube        1/1     Running   1 (23m ago)   23m
kube-system   kube-proxy-qmbz4                        1/1     Running   0             23m
kube-system   kube-scheduler-minikube                 1/1     Running   0             23m
kube-system   storage-provisioner                     1/1     Running   1 (22m ago)   23m
vault         vault-0                                 0/1     Running   0             7m4s
vault         vault-agent-injector-5d4c695bf4-4xttt   1/1     Running   0             7m4s

follow this page work:

  • install jetstack certificate manager on cluster
$ helm repo add jetstack
"jetstack" has been added to your repositories
$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "jetstack" chart repository
...Successfully got an update from the "hashicorp" chart repository
Update Complete. ⎈Happy Helming!⎈
$ helm upgrade --install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true --wait
Release "cert-manager" does not exist. Installing it now.
NAME: cert-manager
LAST DEPLOYED: Mon Aug  8 14:41:20 2022
NAMESPACE: default
STATUS: deployed
cert-manager v1.9.1 has been deployed successfully!

In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).

More information on the different types of issuers and how to configure them
can be found in our documentation:

For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
  • Create secret of certificate authority for your organistaion, here I am using the root-cert.pem created for custom CA using istiod in above ways to using CA using makefile.
$ kubectl create secret generic istio-root-certs --from-file=root-cert.pem=certs/root-cert  -n cert-manager
secret/istio-root-certs created
  • Now we provide the issuer to cert manager to know how to talk to vault. First create namespace istio-system

Note: For token, we use the private key for pki, here I am using the root-key.pem created for istio. the base64 -w 0 removes the formating for using as token.

$ cat root-key.pem | base64 -w 0; echo
$ kubectl create namespace istio-system
namespace/istio-system created
$ kubectl apply -f vault-secret.yaml 
secret/vault-token created
$ kubectl apply -f vault-issuer.yaml created
  • Next installing istio csr configured to use vault as issuer
$ helm upgrade -i cert-manager-istio-csr jetstack/cert-manager-istio-csr --namespace cert-manager --values istio-csr-values.yaml
Release "cert-manager-istio-csr" has been upgraded. Happy Helming!
NAME: cert-manager-istio-csr
LAST DEPLOYED: Tue Aug  9 11:45:02 2022
NAMESPACE: cert-manager
STATUS: deployed
  • Now we have istio configurations, giving istio-csr network address and disabling istiod as CA Server.
$ istioctl install -f istio-config.yaml --verify -y
  • Once Istio is up and running. we add Authentication rule
$ kubectl apply -f STRICTpeerauthentication.yaml 
  • The we run the example application
$ kubectl create namespace sandbox
$ kubectl label namespace sandbox istio-injection=enabled
$ kubectl apply -f bookinfo.yaml 
  • wait for pod to come up
$ kubectl wait --for=condition=ready pod -l app=productpage -n sandbox 
  • find the certfication created
$ istioctl proxy-config secret -n sandbox $(kubectl get pods -n sandox -o jsonpath='{}' --selector app=productpage) -o json | jq -r '.dynamicActiveSecrets[0].secrets.tlsCertificate.certificateChain inlineBytes' | base64 --decode | openssl x509 --text -noout | vim --



Written by 

Vaibhav Kumar is a DevOps Engineer at Knoldus | Part of Nashtech with experience in architecting and automating integral deployments over infrastructure. Proficient in Jenkins, Git, AWS and in developing CI pipelines. Able to perform configuration management using ansible and infrastructure management using terraform. Like to script and do developing in Python. Other than AWS, have an experience in Google Cloud, Azure cloud services. Other than Jenkins, CI/CD in Azure Pipelines, GitHub Actions, Teamcity. Loves to explore new technologies and ways to improve work with automation.