How to manage Certification using Istio for Kubernetes Cluster

Reading Time: 4 minutes

Introduction

In our old blog, we explored service mesh configuration using User Interface. Here, we will see how istio is able to manage certification for cluster. This blog covers left work of Part -1 where we explored on how istio itself creates certificates for cluster and manage certificates for cluster. We will see various ways the istio can add external certifications.

Terms to be known

Registration Authority(RA): key role to approve requests and sign the request if valid.
Certification Authority(CA): signing workload requests after RA approves it.
Public Key Infrastructure (PKI): a framework that enables the encryption of public keys and includes their affiliated crypto-mechanisms.
Certificate Signing Request (CSR): a specially formatted encrypted message sent from a Secure Sockets Layer (SSL) digital certificate applicant to a certificate authority (CA).

Kubernetes CSR Integration : When CA is not Istiod

the private key in cluster is not stored a secret
steps of K8s CSR

CSR request by a Service/kubectl controller (requester)
Approver approves on basis of content and requester
Signer signs the request
Signed certificate read by servce (requester)

As you can see here in the picture

Kubernetes CSR with cert manager

In Istio it is almost same:

CSR requested by service / kubectl controller by gRPC to istiod
istiod creates CSR (requestor) object, approves request
Instead of Kubernetes, cert-manager signs request
Istiod reads signed certificate
Istiod responds to Servie with signed certificate

Note: Kubernetes and Istio work on same plane so Kubernetes signing the certificate can be problemetic

here we have used a cert manager to sign the certificates with Istiod as CA with the yaml

- name: K8S_SIGNER
  value: issuers.cert-manager.io/istio-system.istio-ca

the istio ca can be backed up some other issuer like vault by hashicorp.

Istio-CSR : no involvement of Istiod

certification mangement using istio without istiod

Using Vault

run vault pod on your cluster

$ helm install vault hashicorp/vault --namespace vault --create-namespace
NAME: vault
LAST DEPLOYED: Mon Aug  8 14:27:28 2022
NAMESPACE: vault
STATUS: deployed
REVISION: 1
NOTES:
Thank you for installing HashiCorp Vault!

Now that you have deployed Vault, you should look over the docs on using
Vault with Kubernetes available here:

https://www.vaultproject.io/docs/

Your release is named vault. To learn more about the release, try:

  $ helm status vault
  $ helm get manifest vault

$ kubectl get pods -A
NAMESPACE     NAME                                    READY   STATUS    RESTARTS      AGE
kube-system   coredns-6d4b75cb6d-djq4p                1/1     Running   0             23m
kube-system   etcd-minikube                           1/1     Running   0             23m
kube-system   kube-apiserver-minikube                 1/1     Running   0             23m
kube-system   kube-controller-manager-minikube        1/1     Running   1 (23m ago)   23m
kube-system   kube-proxy-qmbz4                        1/1     Running   0             23m
kube-system   kube-scheduler-minikube                 1/1     Running   0             23m
kube-system   storage-provisioner                     1/1     Running   1 (22m ago)   23m
vault         vault-0                                 0/1     Running   0             7m4s
vault         vault-agent-injector-5d4c695bf4-4xttt   1/1     Running   0             7m4s

follow this page work: https://learn.hashicorp.com/tutorials/vault/kubernetes-cert-manager

install jetstack certificate manager on cluster

$ helm repo add jetstack https://charts.jetstack.io
"jetstack" has been added to your repositories
$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "jetstack" chart repository
...Successfully got an update from the "hashicorp" chart repository
Update Complete. ⎈Happy Helming!⎈
$ helm upgrade --install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true --wait
Release "cert-manager" does not exist. Installing it now.
NAME: cert-manager
LAST DEPLOYED: Mon Aug  8 14:41:20 2022
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
cert-manager v1.9.1 has been deployed successfully!

In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).

More information on the different types of issuers and how to configure them
can be found in our documentation:

https://cert-manager.io/docs/configuration/

For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:

https://cert-manager.io/docs/usage/ingress/

Create secret of certificate authority for your organistaion, here I am using the root-cert.pem created for custom CA using istiod in above ways to using CA using makefile.

$ kubectl create secret generic istio-root-certs --from-file=root-cert.pem=certs/root-cert  -n cert-manager
secret/istio-root-certs created

Now we provide the issuer to cert manager to know how to talk to vault. First create namespace istio-system

Note: For token, we use the private key for pki, here I am using the root-key.pem created for istio. the base64 -w 0 removes the formating for using as token.

$ cat root-key.pem | base64 -w 0; echo

$ kubectl create namespace istio-system
namespace/istio-system created
$ kubectl apply -f vault-secret.yaml 
secret/vault-token created
$ kubectl apply -f vault-issuer.yaml 
issuer.cert-manager.io/vault created

Next installing istio csr configured to use vault as issuer

$ helm upgrade -i cert-manager-istio-csr jetstack/cert-manager-istio-csr --namespace cert-manager --values istio-csr-values.yaml
Release "cert-manager-istio-csr" has been upgraded. Happy Helming!
NAME: cert-manager-istio-csr
LAST DEPLOYED: Tue Aug  9 11:45:02 2022
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 3
TEST SUITE: None

Now we have istio configurations, giving istio-csr network address and disabling istiod as CA Server.

$ istioctl install -f istio-config.yaml --verify -y

Once Istio is up and running. we add Authentication rule

$ kubectl apply -f STRICTpeerauthentication.yaml

The we run the example application

$ kubectl create namespace sandbox
$ kubectl label namespace sandbox istio-injection=enabled
$ kubectl apply -f bookinfo.yaml

wait for pod to come up

$ kubectl wait --for=condition=ready pod -l app=productpage -n sandbox

find the certfication created

$ istioctl proxy-config secret -n sandbox $(kubectl get pods -n sandox -o jsonpath='{.items.metadata.name}' --selector app=productpage) -o json | jq -r '.dynamicActiveSecrets[0].secrets.tlsCertificate.certificateChain inlineBytes' | base64 --decode | openssl x509 --text -noout | vim --