Introduction

In our old blog, we explored service mesh configuration using User Interface. Here, we will see how istio is able to manage certification for cluster. This blog covers left work of Part -1 where we explored on how istio itself creates certificates for cluster and manage certificates for cluster. We will see various ways the istio can add external certifications.
Terms to be known
- Registration Authority(RA): key role to approve requests and sign the request if valid.
- Certification Authority(CA): signing workload requests after RA approves it.
- Public Key Infrastructure (PKI): a framework that enables the encryption of public keys and includes their affiliated crypto-mechanisms.
- Certificate Signing Request (CSR): a specially formatted encrypted message sent from a Secure Sockets Layer (SSL) digital certificate applicant to a certificate authority (CA).
Kubernetes CSR Integration : When CA is not Istiod
- the private key in cluster is not stored a secret
- steps of K8s CSR
- CSR request by a Service/kubectl controller (requester)
- Approver approves on basis of content and requester
- Signer signs the request
- Signed certificate read by servce (requester)



As you can see here in the picture



Kubernetes CSR with cert manager
- In Istio it is almost same:
- CSR requested by service / kubectl controller by gRPC to istiod
- istiod creates CSR (requestor) object, approves request
- Instead of Kubernetes, cert-manager signs request
- Istiod reads signed certificate
- Istiod responds to Servie with signed certificate
Note: Kubernetes and Istio work on same plane so Kubernetes signing the certificate can be problemetic



here we have used a cert manager to sign the certificates with Istiod as CA with the yaml
- name: K8S_SIGNER
value: issuers.cert-manager.io/istio-system.istio-ca
the istio ca can be backed up some other issuer like vault by hashicorp.
Istio-CSR : no involvement of Istiod



Using Vault
- run vault pod on your cluster
$ helm install vault hashicorp/vault --namespace vault --create-namespace
NAME: vault
LAST DEPLOYED: Mon Aug 8 14:27:28 2022
NAMESPACE: vault
STATUS: deployed
REVISION: 1
NOTES:
Thank you for installing HashiCorp Vault!
Now that you have deployed Vault, you should look over the docs on using
Vault with Kubernetes available here:
https://www.vaultproject.io/docs/
Your release is named vault. To learn more about the release, try:
$ helm status vault
$ helm get manifest vault
$ kubectl get pods -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system coredns-6d4b75cb6d-djq4p 1/1 Running 0 23m
kube-system etcd-minikube 1/1 Running 0 23m
kube-system kube-apiserver-minikube 1/1 Running 0 23m
kube-system kube-controller-manager-minikube 1/1 Running 1 (23m ago) 23m
kube-system kube-proxy-qmbz4 1/1 Running 0 23m
kube-system kube-scheduler-minikube 1/1 Running 0 23m
kube-system storage-provisioner 1/1 Running 1 (22m ago) 23m
vault vault-0 0/1 Running 0 7m4s
vault vault-agent-injector-5d4c695bf4-4xttt 1/1 Running 0 7m4s
follow this page work: https://learn.hashicorp.com/tutorials/vault/kubernetes-cert-manager
- install jetstack certificate manager on cluster
$ helm repo add jetstack https://charts.jetstack.io
"jetstack" has been added to your repositories
$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "jetstack" chart repository
...Successfully got an update from the "hashicorp" chart repository
Update Complete. ⎈Happy Helming!⎈
$ helm upgrade --install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true --wait
Release "cert-manager" does not exist. Installing it now.
NAME: cert-manager
LAST DEPLOYED: Mon Aug 8 14:41:20 2022
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
cert-manager v1.9.1 has been deployed successfully!
In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
More information on the different types of issuers and how to configure them
can be found in our documentation:
https://cert-manager.io/docs/configuration/
For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:
https://cert-manager.io/docs/usage/ingress/
- Create secret of certificate authority for your organistaion, here I am using the root-cert.pem created for custom CA using istiod in above ways to using CA using makefile.
$ kubectl create secret generic istio-root-certs --from-file=root-cert.pem=certs/root-cert -n cert-manager
secret/istio-root-certs created
- Now we provide the issuer to cert manager to know how to talk to vault. First create namespace istio-system
Note: For token, we use the private key for pki, here I am using the root-key.pem created for istio. the base64 -w 0 removes the formating for using as token.
$ cat root-key.pem | base64 -w 0; echo
$ kubectl create namespace istio-system
namespace/istio-system created
$ kubectl apply -f vault-secret.yaml
secret/vault-token created
$ kubectl apply -f vault-issuer.yaml
issuer.cert-manager.io/vault created
- Next installing istio csr configured to use vault as issuer
$ helm upgrade -i cert-manager-istio-csr jetstack/cert-manager-istio-csr --namespace cert-manager --values istio-csr-values.yaml
Release "cert-manager-istio-csr" has been upgraded. Happy Helming!
NAME: cert-manager-istio-csr
LAST DEPLOYED: Tue Aug 9 11:45:02 2022
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 3
TEST SUITE: None
- Now we have istio configurations, giving istio-csr network address and disabling istiod as CA Server.
$ istioctl install -f istio-config.yaml --verify -y
- Once Istio is up and running. we add Authentication rule
$ kubectl apply -f STRICTpeerauthentication.yaml
- The we run the example application
$ kubectl create namespace sandbox
$ kubectl label namespace sandbox istio-injection=enabled
$ kubectl apply -f bookinfo.yaml
- wait for pod to come up
$ kubectl wait --for=condition=ready pod -l app=productpage -n sandbox
- find the certfication created
$ istioctl proxy-config secret -n sandbox $(kubectl get pods -n sandox -o jsonpath='{.items.metadata.name}' --selector app=productpage) -o json | jq -r '.dynamicActiveSecrets[0].secrets.tlsCertificate.certificateChain inlineBytes' | base64 --decode | openssl x509 --text -noout | vim --