In our old blog, we explored service mesh configuration using User Interface. Here, we will see how istio is able to manage certification for cluster. This blog covers left work of Part -1 where we explored on how istio itself creates certificates for cluster and manage certificates for cluster. We will see various ways the istio can add external certifications.
Terms to be known
Registration Authority(RA): key role to approve requests and sign the request if valid.
Certification Authority(CA): signing workload requests after RA approves it.
Public Key Infrastructure (PKI): a framework that enables the encryption of public keys and includes their affiliated crypto-mechanisms.
Certificate Signing Request (CSR): a specially formatted encrypted message sent from a Secure Sockets Layer (SSL) digital certificate applicant to a certificate authority (CA).
Kubernetes CSR Integration : When CA is not Istiod
the private key in cluster is not stored a secret
steps of K8s CSR
CSR request by a Service/kubectl controller (requester)
Approver approves on basis of content and requester
Signer signs the request
Signed certificate read by servce (requester)
As you can see here in the picture
Kubernetes CSR with cert manager
In Istio it is almost same:
CSR requested by service / kubectl controller by gRPC to istiod
the istio ca can be backed up some other issuer like vault by hashicorp.
Istio-CSR : no involvement of Istiod
Using Vault
run vault pod on your cluster
$ helm install vault hashicorp/vault --namespace vault --create-namespace
NAME: vault
LAST DEPLOYED: Mon Aug 8 14:27:28 2022
NAMESPACE: vault
STATUS: deployed
REVISION: 1
NOTES:
Thank you for installing HashiCorp Vault!
Now that you have deployed Vault, you should look over the docs on using
Vault with Kubernetes available here:
https://www.vaultproject.io/docs/
Your release is named vault. To learn more about the release, try:
$ helm status vault
$ helm get manifest vault
$ kubectl get pods -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system coredns-6d4b75cb6d-djq4p 1/1 Running 0 23m
kube-system etcd-minikube 1/1 Running 0 23m
kube-system kube-apiserver-minikube 1/1 Running 0 23m
kube-system kube-controller-manager-minikube 1/1 Running 1 (23m ago) 23m
kube-system kube-proxy-qmbz4 1/1 Running 0 23m
kube-system kube-scheduler-minikube 1/1 Running 0 23m
kube-system storage-provisioner 1/1 Running 1 (22m ago) 23m
vault vault-0 0/1 Running 0 7m4s
vault vault-agent-injector-5d4c695bf4-4xttt 1/1 Running 0 7m4s
$ helm repo add jetstack https://charts.jetstack.io
"jetstack" has been added to your repositories
$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "jetstack" chart repository
...Successfully got an update from the "hashicorp" chart repository
Update Complete. ⎈Happy Helming!⎈
$ helm upgrade --install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true --wait
Release "cert-manager" does not exist. Installing it now.
NAME: cert-manager
LAST DEPLOYED: Mon Aug 8 14:41:20 2022
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
cert-manager v1.9.1 has been deployed successfully!
In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
More information on the different types of issuers and how to configure them
can be found in our documentation:
https://cert-manager.io/docs/configuration/
For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:
https://cert-manager.io/docs/usage/ingress/
Create secret of certificate authority for your organistaion, here I am using the root-cert.pem created for custom CA using istiod in above ways to using CA using makefile.
Now we provide the issuer to cert manager to know how to talk to vault. First create namespace istio-system
Note: For token, we use the private key for pki, here I am using the root-key.pem created for istio. the base64 -w 0 removes the formating for using as token.
$ cat root-key.pem | base64 -w 0; echo
$ kubectl create namespace istio-system
namespace/istio-system created
$ kubectl apply -f vault-secret.yaml
secret/vault-token created
$ kubectl apply -f vault-issuer.yaml
issuer.cert-manager.io/vault created
Next installing istio csr configured to use vault as issuer
$ helm upgrade -i cert-manager-istio-csr jetstack/cert-manager-istio-csr --namespace cert-manager --values istio-csr-values.yaml
Release "cert-manager-istio-csr" has been upgraded. Happy Helming!
NAME: cert-manager-istio-csr
LAST DEPLOYED: Tue Aug 9 11:45:02 2022
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 3
TEST SUITE: None
Now we have istio configurations, giving istio-csr network address and disabling istiod as CA Server.
Vaibhav Kumar is a DevOps Engineer at Knoldus | Part of Nashtech with experience in architecting and automating integral deployments over infrastructure. Proficient in Jenkins, Git, AWS and in developing CI pipelines. Able to perform configuration management using ansible and infrastructure management using terraform. Like to script and do developing in Python. Other than AWS, have an experience in Google Cloud, Azure cloud services. Other than Jenkins, CI/CD in Azure Pipelines, GitHub Actions, Teamcity. Loves to explore new technologies and ways to improve work with automation.
